Percona Monitoring and Management 2.44.0-1¶
Release date: February 10th, 2025
Percona Monitoring and Management (PMM) is an open-source database monitoring, management, and observability solution for MySQL, PostgreSQL, and MongoDB.
It provides tools to observe database health, analyze performance trends, troubleshoot issues, and execute database management tasks—whether your databases are on-premises or in the cloud.
SEVERITY: CRITICAL - IMMEDIATE ACTION REQUIRED¶
A critical vulnerability has been identified in PMM Open Virtual Appliance (OVA) installations that enables unauthorized root access and potential exposure of system credentials.
Immediate actions required¶
- UPGRADE IMMEDIATELY to PMM 2.44.0-1 (strongly recommended).
- CHANGE ALL CREDENTIALS for connected services.
- AUDIT ACCESS LOGS for potential unauthorized access.
Vulnerability details¶
This vulnerability stems from default service account credentials in OVA provisioning that enables:
- unauthorized SSH access
- privilege escalation to
rootviasudocapabilities - potential exposure of service credentials and configurations
Affected installations¶
The table below lists currently known affected deployments. We will update it if additional products are identified:
| Affected deployments | Version | Notes |
|---|---|---|
| PMM Open Virtual Appliance (OVA) installations | ≥ 2.38 |
Restrict SSH access
PMM OVA installations should never have port 22 exposed to the public Internet unless you have implemented additional security hardening measures. Always use firewalls, VPNs, or other secure remote access methods.
Mitigation options¶
This release enhances security in OVA deployments by automatically removing unnecessary system accounts during the initial setup.
To secure your system, follow these steps to upgrade:
-
Download and deploy the new OVA file from Percona website.
-
Log in to your system:
ssh admin@your-pmm-server -
Switch to
rootor usesudofor the following commands:sudo -i # or use sudo before each command - Stop services on your current installation:
supervisorctl stop all - Back up and transfer your data:
cd /srv tar -cvf srv.tar . -
Transfer srv.tar to new server via scp.
-
Deploy data on the new installation:
# Stop all services supervisorctl stop all # Clear existing data cd /srv rm -rf * # Extract backup tar -xvf PATH_TO/srv.tar # Start all services supervisorctl start all - Update DNS records or swap IP addresses to ensure uninterrupted Client connectivity.
Verification steps¶
After upgrading, verify that your system is functioning correctly:
- Check service status to confirm both PMM Client and PMM Server are running:
supervisorctl status -
Ensure Client connectivity to validate data flow.
-
Test system functionality by performing basic monitoring tasks.
If an upgrade is not immediately possible, follow these steps to mitigate the vulnerability:
-
Secure SSH access:
- block port 22 access at firewall level
- if remote access is required, restrict it to specific IP addresses
- consider using a VPN for remote management
-
Log in to your system:
ssh admin@your-pmm-server - Switch to
rootor usesudofor the following commands.sudo -i # or use sudo before each command -
Execute ONE of these commands to secure the vulnerable account:
-
disable login:
usermod -s /sbin/nologin vagrant -
lock account:
passwd -l vagrant -
remove user completely:
kill -9 $(pgrep -f vagrant) userdel -r vagrant
-
-
Update service credentials:
- change monitoring user passwords in your databases (MySQL, PostgreSQL, MongoDB)
- update any custom service accounts you’ve created
- rotate authentication tokens for monitored services
- update corresponding credentials in PMM configuration
- configure SSH access: add public key via PMM Configuration > Settings > SSH Key
-
Monitor system logs for unauthorized access.
Support & additional resources¶
If you require further clarification or assistance, we are available to assist you 24/7:
Upgrading from PMM 3.0.0?¶
If you are running PMM 3.0.0, make sure to upgrade to PMM 3.0.0-1. For upgrade instructions, see the PMM 3.0.0-1 release notes.