An issue was discovered in Percona PMM Server (OVA) before 3.0.0-1.ova. The default service account credentials can lead to SSH access, use of Sudo to root, and sensitive data exposure. This is fixed in PMM2 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, and 2.44.0-1.ova and in PMM3 3.0.0-1.ova and later.
Percona PMM Server in OVA version is supplied with default, unsecured credentials for the built-in service account. An attacker can use these credentials to establish an SSH session with the virtual machine. After gaining access, it is possible to use the Sudo mechanism to escalate privileges to root (privilege escalation), and then gain unrestricted access to all system resources and stored sensitive data.
An attacker can gain full control over the server operating system (root privileges), enabling reading, modification, or deletion of monitoring data, as well as compromising the infrastructure managed by PMM.
PMM2 should be updated to one of the following versions: 2.42.0-1.ova, 2.43.0-1.ova, 2.43.1-1.ova, 2.43.2-1.ova, or 2.44.0-1.ova, and PMM3 should be updated to version 3.0.0-1.ova or later. Detailed information is available in the vendor's security bulletin at the address provided in references.
Percona PMM Server in OVA format — all PMM2 versions before 2.42.0-1.ova and PMM3 before 3.0.0-1.ova
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H