CVE-2021-31556
📋 TL;DR
This vulnerability in MediaWiki's OAuth extension allows attackers to cause denial of service or potentially execute arbitrary code by submitting RSA keys that exceed MySQL blob storage limits. It affects MediaWiki installations with the OAuth extension enabled through version 1.35.2. The high CVSS score reflects the potential for remote code execution.
💻 Affected Systems
- MediaWiki with OAuth extension
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or ransomware deployment.
Likely Case
Denial of service causing MediaWiki instance unavailability, potentially corrupting database entries.
If Mitigated
Limited impact with proper input validation and database constraints in place.
🎯 Exploit Status
Exploitation requires OAuth consumer registration access, which typically requires some level of authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.35.3 or later
Vendor Advisory: https://phabricator.wikimedia.org/T277380
Restart Required: No
Instructions:
1. Update MediaWiki to version 1.35.3 or later. 2. Update the OAuth extension if installed separately. 3. Verify the patch is applied by checking the MWOAuthConsumerSubmitControl.php file.
🔧 Temporary Workarounds
Disable OAuth extension
allTemporarily disable the OAuth extension if not required
Edit LocalSettings.php and comment out or remove: wfLoadExtension('OAuth');
Database constraint enforcement
linuxAdd MySQL/MariaDB constraints to limit blob field sizes
ALTER TABLE oauth_registered_consumer MODIFY oauth_rsa_key BLOB(65535);
🧯 If You Can't Patch
- Implement strict input validation for RSA key submissions
- Restrict OAuth consumer registration to trusted administrators only
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version and OAuth extension status. If version <= 1.35.2 and OAuth enabled, system is vulnerable.Check Version:
grep 'wgVersion' includes/DefaultSettings.phpVerify Fix Applied:
Verify MediaWiki version is >= 1.35.3 and check that MWOAuthConsumerSubmitControl.php includes proper length validation.📡 Detection & Monitoring
Log Indicators:
- Database errors related to blob overflow
- OAuth consumer registration attempts with unusually large RSA keys
Network Indicators:
- HTTP POST requests to OAuth registration endpoints with large payloads
SIEM Query:
source="mediawiki.log" AND ("blob overflow" OR "OAuth consumer submit" AND size>65535)🔗 References
- https://gerrit.wikimedia.org/r/q/I13ff0350a9a0a3cd5ab3e1f82dd0d8d9c13cf9e9
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJDYJQWT43GBD6GNQ4OW7JOZ6WQ6DZTN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDBPECBWN6LWNSWIQMVXK6PP4YFEUYHA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX/
- https://phabricator.wikimedia.org/T277380
- https://gerrit.wikimedia.org/r/q/I13ff0350a9a0a3cd5ab3e1f82dd0d8d9c13cf9e9
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJDYJQWT43GBD6GNQ4OW7JOZ6WQ6DZTN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDBPECBWN6LWNSWIQMVXK6PP4YFEUYHA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX/
- https://phabricator.wikimedia.org/T277380
