While performing an upgrade, the team discovered a security issue, CVE-2016-6653. This affects cf-mysql releases v27 and v28.
In the case where either has been deployed, and the following three conditions are true: - Configured to send logs to a syslog service - Syslog transport is not encrypted - Audit logging is enabled
… then, cf-mysql will mistakenly send those audit logs to to the syslog service without encryption.
Especially in the case where the
query directive has been specified in the
cf_mysql.mysql.server_audit_events property, this can transmit all application data in a way that is not protected from network observers.
Furthermore, in this configuration, BOSH will not be able to automatically upgrade, see below.
- Do not send the mysql audit logs to syslog [#131120795]
- Detaching the persistent disk failed when both syslog and audit logs were enabled [#131023259]
Upgrading from cf-mysql v27 or v28
- If upgrading from v27 or v28, if both
syslog_aggregatorhad been configured, you may encounter problems when bosh tries to detach the persistent disk from the MySQL VMs. This will look like the following:
Started updating job mysql_z1 > mysql_z1/0 (55170f29-1796-48ef-ac48-abb325eec1a8) (canary). Failed: Action Failed get_task: Task 462ff34b-78ed-4d16-5ce9-fd707a45e9f1 result: Migrating persistent disk: Remounting persistent disk as readonly: Unmounting /var/vcap/store: Running command: ‘umount /var/vcap/store’, stdout: “, stderr: ‘umount: /var/vcap/store: device is busy.
(In some cases useful info about processes that use the device is found by lsof(8) or fuser(1))
The problem can be resolved by:
1. Ssh onto the MySQL VMs, using your preferred method
1. Comment out lines 44-48 of
bosh deploy again; it should succeed this time
In typical agile fashion, we had completed a few feature stories, so they’re included as well.
- galera_healthcheck should log when it encounters a bad state or error discovering state
galera_healthcheck job now logs more verbosely when it encounters problems.
- switchboard proxy should provide an HTTP healthcheck
- This allows the cluster to work with Load Balancers that use only HTTP health checks.
- The health check port should continue to work with load balancers that use TCP health checks.
Upload this release version to the Director:
$ bosh upload-release https://bosh.io/d/github.com/cloudfoundry/cf-mysql-release?v=29 --sha1 c335d01d83b83a17dfd8713f1b1e83e28d4bd02a
Modify deployment manifest to use this release in addition to any other used releases:
releases: - name: cf-mysql version: "29"
Finally add needed deployment jobs and specify values for required properties.
Optionally download sha1: c335d01d83b83a17dfd8713f1b1e83e28d4bd02a release tarball locally:
# ...or download it directly using curl $ curl -L -J -O https://bosh.io/d/github.com/cloudfoundry/cf-mysql-release?v=29 # or with wget... $ wget --content-disposition https://bosh.io/d/github.com/cloudfoundry/cf-mysql-release?v=29