I'll sum up my view on this (which I had hoped, would be yours, too): So far, in Ubuntu, mysqld always listened on port 3306 only, and only on the loopback interface by default. 20.04 introduced a mysql server version which introduces the MySQL X protocol. The expectation a mysql server administrator will have grown since, as well as anyone who expects Ubuntu to be 'secure by default' (https://wiki.ubuntu.com/SecurityTeam/Policies#No_Open_Ports), will be that a new Ubuntu release will not unexpectedly (and without notice) introduce new listening ports, especially not on the Internet, especially not for a service as sensitive as a database. However, this is what 20.04 does: the MySQL X service, is, by default, listening on all interfaces, on TCP port 33060.
As Bryce has clarified (thanks!), port 33060 *is* closed in later releases, which actually weakens the point that there are legitimate reasons to keep it open on 20.04 LTS. The potential regression which would be introduced by fixing this problem now (that 20.04 LTS has been released for a while), i.e. users who might since have come to expect that port 33060/tcp is listening on all interfaces, can be overcome having the preinstall/postinst script, or rather debconf, prompt about the desired configuration. For what's it worth, Shodan.io lists several Ubuntu 20.04 systems which have the MySQL X protocol on 33060/tcp listening from the Internet. The "MySQL X" network protocol provides effectively the same capabilities as the classic mysql network protocol (3306/tcp), and features a weak authentication method over a transport encrypted channel. Client implementations are provided, brute force attacks against the authentication are possible. https://dev.mysql.com/doc/dev/mysql-server/latest/mysqlx_protocol.html#xprotocol_mysqlxshell_example https://dev.mysql.com/doc/dev/mysql-server/latest/mysqlx_protocol_authentication.html I would hope that the technical reasoning is sufficient to clarify the need for a SRU, but this should clarify how this can also pose a brand awareness / commercial risk. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1857584 Title: MySQL X protocol port 33060 listening on network by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/mysql-8.0/+bug/1857584/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
