CVE-2021-41799
📋 TL;DR
CVE-2021-41799 is a denial-of-service vulnerability in MediaWiki's ApiQueryBacklinks feature that allows attackers to trigger full table scans, consuming excessive database resources and causing service degradation. This affects MediaWiki instances before version 1.36.2. Any MediaWiki installation with the vulnerable version is susceptible to resource exhaustion attacks.
💻 Affected Systems
- MediaWiki
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Mediawiki by Mediawiki
⚠️ Risk & Real-World Impact
Worst Case
Complete service unavailability due to database resource exhaustion, potentially affecting all users and requiring database restart or server reboot.
Likely Case
Significant performance degradation, slow page loads, and intermittent service disruptions affecting user experience.
If Mitigated
Minimal impact with proper rate limiting, query optimization, and monitoring in place.
🎯 Exploit Status
Exploitation requires only HTTP requests to the vulnerable API endpoint with crafted parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MediaWiki 1.36.2 and later
Vendor Advisory: https://phabricator.wikimedia.org/T290394
Restart Required: No
Instructions:
1. Backup your MediaWiki installation and database. 2. Update MediaWiki to version 1.36.2 or later. 3. Clear caches if necessary. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable ApiQueryBacklinks
allTemporarily disable the vulnerable API endpoint to prevent exploitation
Edit LocalSettings.php and add: $wgAPIListModules['backlinks'] = false;
Implement Rate Limiting
allAdd rate limiting to API queries to prevent resource exhaustion
Edit LocalSettings.php and configure: $wgRateLimits['action']['query'] = ['user' => [100, 60]];
🧯 If You Can't Patch
- Implement strict rate limiting on API endpoints
- Monitor database performance and set alerts for unusual query patterns
🔍 How to Verify
Check if Vulnerable:
Check MediaWiki version in includes/DefaultSettings.php or via Special:Version page. If version is below 1.36.2, you are vulnerable.Check Version:
grep 'wgVersion' includes/DefaultSettings.phpVerify Fix Applied:
After updating, verify version is 1.36.2 or higher via Special:Version page and test ApiQueryBacklinks with monitoring to ensure no full table scans occur.📡 Detection & Monitoring
Log Indicators:
- Unusually long query execution times in database logs
- High frequency of API requests to action=query&list=backlinks
- Database connection pool exhaustion alerts
Network Indicators:
- High volume of requests to /api.php with backlinks parameters
- Increased response times for API queries
SIEM Query:
source="apache_access.log" AND uri="/api.php" AND query="*list=backlinks*" | stats count by src_ip🔗 References
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJDYJQWT43GBD6GNQ4OW7JOZ6WQ6DZTN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDBPECBWN6LWNSWIQMVXK6PP4YFEUYHA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX/
- https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/
- https://phabricator.wikimedia.org/T290394
- https://security.gentoo.org/glsa/202305-24
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CJDYJQWT43GBD6GNQ4OW7JOZ6WQ6DZTN/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MDBPECBWN6LWNSWIQMVXK6PP4YFEUYHA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QNEAI2T3Y65I55ZB6UE6RMC662RZTGRX/
- https://lists.wikimedia.org/hyperkitty/list/wikitech-l%40lists.wikimedia.org/thread/2IFS5CM2YV4VMSODPX3J2LFHKSEWVFV5/
- https://phabricator.wikimedia.org/T290394
- https://security.gentoo.org/glsa/202305-24
