Description:
With MySQL 5.6, P_S can track connection attributes set by the client at
connection time. The mysql (and related) clients include attributes which
the user cannot control or restrict in any way. This means that the
following is always exposed to all users able to query
performance_schema.session_connect_attrs:
* OS info
* client thread ID
* platform
While it is unclear any of this information can be leveraged into security
exploits is unclear, but the lack of control over what information is exposed
is problematic.
How to repeat:
mysql> SELECT * FROM performance_schema.session_connect_attrs\G
*************************** 1. row ***************************
PROCESSLIST_ID: 4
ATTR_NAME: _command_line
ATTR_VALUE: bin\mysql -uroot -P3307 -p
ORDINAL_POSITION: 0
*************************** 2. row ***************************
PROCESSLIST_ID: 4
ATTR_NAME: _client_name
ATTR_VALUE: libmysql
ORDINAL_POSITION: 1
*************************** 3. row ***************************
PROCESSLIST_ID: 4
ATTR_NAME: _pid
ATTR_VALUE: 3944
ORDINAL_POSITION: 2
*************************** 4. row ***************************
PROCESSLIST_ID: 4
ATTR_NAME: _client_version
ATTR_VALUE: 5.6.6-m9
ORDINAL_POSITION: 3
*************************** 5. row ***************************
PROCESSLIST_ID: 4
ATTR_NAME: _platform
ATTR_VALUE: x86
ORDINAL_POSITION: 4
*************************** 6. row ***************************
PROCESSLIST_ID: 4
ATTR_NAME: program_name
ATTR_VALUE: mysql
ORDINAL_POSITION: 5
*************************** 7. row ***************************
PROCESSLIST_ID: 4
ATTR_NAME: _os
ATTR_VALUE: Win32
ORDINAL_POSITION: 6
*************************** 8. row ***************************
PROCESSLIST_ID: 4
ATTR_NAME: _thread
ATTR_VALUE: 1340
ORDINAL_POSITION: 7
Suggested fix:
Allow mysql (and related clients, including replication and FEDERATED connections using libmysql) to specify which attributes to expose or not.