CVE CyberSecurity Database News

CVE-2022-3023: Externally-Controlled Format String Vulnerability in GitHub Repository PingCAP/tidb before Versions 6.4. and 6.1.3

Poster -

Introduction:
A critical vulnerability, known as CVE-2022-3023, has been discovered affecting the GitHub repository pingcap/tidb prior to versions 6.4. and 6.1.3. This vulnerability involves the use of an externally-controlled, arbitrary format string, which can result in severe security threats due to potential data leakage, memory corruption, or even remote code execution.

Background:
The PingCAP/tidb GitHub repository hosts the source code for TiDB, a popular distributed SQL database that aims to provide MySQL compatibility and horizontal scalability. The vulnerability stems from the incorrect handling of format strings in log messages generated during certain error situations involving table structure and data changes.

Vulnerability Details:

The vulnerability is caused by the use of an externally-controlled format string in a log message

func (s *session) tryExecute(deleteKeys, insertKeys []kv.Key, lazy bool, state *State) error {
    ...
    if err != nil {
        if kv.ErrKeyExists.Equal(err) {
            keyValue := insertKeys[i]
            return infoschema.ErrDupEntry.GenWithStack("Duplicate entry: %s for key %s", keyValue, indexInfo.Name)
        }
    ...
}

The format string, specified as "%s for key %s", is controlled by the keyValue and indexInfo.Name variables, which are determined by the input data. As a consequence, the format string can be manipulated to produce unexpected results. A well-crafted input containing specific format specifiers could lead to unintended information disclosure or memory corruption.

Exploit Scenario

An attacker with access to provide crafted input to a vulnerable version of the pingcap/tidb repository can exploit CVE-2022-3023 to potentially leak sensitive memory content or cause memory corruption, ultimately leading to a denial-of-service (DoS) attack or, in some cases, remote code execution.

Mitigation

To mitigate this vulnerability, update your PingCAP/tidb installation to at least version 6.4. or 6.1.3. The fix involves removing the format string vulnerability by securely handling the log message:

func (s *session) tryExecute(deleteKeys, insertKeys []kv.Key, lazy bool, state *State) error {
    ...
    if err != nil {
        if kv.ErrKeyExists.Equal(err) {
            keyValue := insertKeys[i]
            return infoschema.ErrDupEntry.GenWithStackByArgs(keyValue, indexInfo.Name)
        }
    ...
}

In the patched code snippet above, notice that the function GenWithStackByArgs is used, securely passing the arguments instead of the format string that was used in the vulnerable version.

Original References

- PingCAP/tidb Commit Fixing CVE-2022-3023
- PingCAP/tidb Release
- PingCAP/tidb Release for 6.1.3
- CVE-2022-3023 Record on the CVE List

Conclusion:
CVE-2022-3023 represents a high-risk vulnerability in the PingCAP/tidb GitHub repository that requires immediate attention. Ensure that your implementation is updated to a secure version (6.4. or 6.1.3) to prevent any possible exploits.

Timeline

Published on: 11/04/2022 12:15:00 UTC
Last modified on: 11/05/2022 02:02:00 UTC