Bugzilla – Bug 1173600
VUL-1: CVE-2020-2875,CVE-2020-2933,CVE-2020-2934 : mysql-connector-java: Update to version 5.1.49 (April 2020)
Last modified: 2024-05-22 14:32:08 UTC
Includes: CVE-2020-2875 Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS v3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N). CVE-2020-2934 Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS v3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L) CVE-2020-2933 Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS v3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L) Reference https://www.oracle.com/security-alerts/cpuapr2020verbose.html#MSQL
*** Bug 1173599 has been marked as a duplicate of this bug. ***
Tracked SLE12-SP1 SLE15 and SLE15-SP2. Please also upgrade TW.
Factory submission: https://build.opensuse.org/request/show/818155
After reviewing the upstream commits, I believe these should be the corresponding fixes for the CVEs in 5.1 (Note that, the information provided from the advisory or the Oracle Critical Patch Update Advisory is not very detailed): - CVE-2020-2934: * Fix for Bug#23143279, CLIENT HANG WHEN LOADBALANCESTRATEGY IS BESTRESPONSETIME. * https://github.com/mysql/mysql-connector-j/commit/e824d25875e2fdfdacf8a09e8d829df00a3db8e7 - CVE-2020-2933: * Fix for Bug#30657312, Disable external entities in Fabric's XML parser. * https://github.com/mysql/mysql-connector-j/commit/179957f688241df58d2442e018b2f122126e9eb5 - CVE-2020-2875: * Fix for Bug#30636056, ResultSetUtil.resultSetToMap() can be unsafe to use. * https://github.com/mysql/mysql-connector-j/commit/13f06c38fb68757607c460789196e3f798d506f2 * Fix for Bug#30636056, Replace rs.getObject() by rs.getInt() in collation handling. * https://github.com/mysql/mysql-connector-j/commit/884393db0a4d3389439f2f72fd508e4e1fbd4d5e
Update to 8.0.25 in Factory submitted here: https://build.opensuse.org/request/show/907801 https://build.opensuse.org/request/show/907801
openSUSE-SU-2021:2622-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1173600 CVE References: CVE-2020-2875,CVE-2020-2933,CVE-2020-2934 JIRA References: Sources used: openSUSE Leap 15.3 (src): mysql-connector-java-5.1.47-3.3.1
openSUSE-SU-2021:1126-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1173600 CVE References: CVE-2020-2875,CVE-2020-2933,CVE-2020-2934 JIRA References: Sources used: openSUSE Leap 15.2 (src): mysql-connector-java-5.1.47-lp152.2.3.1
# maintenance_jira_update_notice SUSE-SU-2021:2877-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 1173600 CVE References: CVE-2020-2875,CVE-2020-2933,CVE-2020-2934 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): mysql-connector-java-5.1.42-5.7.1 SUSE OpenStack Cloud Crowbar 8 (src): mysql-connector-java-5.1.42-5.7.1 SUSE OpenStack Cloud 9 (src): mysql-connector-java-5.1.42-5.7.1 SUSE OpenStack Cloud 8 (src): mysql-connector-java-5.1.42-5.7.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): mysql-connector-java-5.1.42-5.7.1 HPE Helion Openstack 8 (src): mysql-connector-java-5.1.42-5.7.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
All done, closing.