Bugzilla – Bug 1195557
VUL-0: CVE-2021-2471: mysql-connector-java: unauthorized access
Last modified: 2022-12-11 16:34:14 UTC
Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash. External Reference: https://www.oracle.com/security-alerts/cpuoct2021.html References: https://bugzilla.redhat.com/show_bug.cgi?id=2020583 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-2471 https://www.oracle.com/security-alerts/cpuoct2021.html#CVE-2021-2471 https://www.oracle.com/security-alerts/cpuoct2021.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-2471
Hi David, It seems that the two following packages are vulnerable: - SUSE:SLE-15-SP2:Update/mysql-connector-java - SUSE:SLE-12-SP1:Update/mysql-connector-java I have not found any official patch out there, but thanks to a public PoC [0], I found the offending code: > return (T) new DOMSource(builder.parse(inputSource)); at - SUSE:SLE-12-SP1:Update/mysql-connector-java/mysql-connector-java-8.0.25/src/main/user-impl/java/com/mysql/cj/jdbc/MysqlSQLXML.java-225 - SUSE:SLE-15-SP2:Update/mysql-connector-java/mysql-connector-java-5.1.47/src/com/mysql/jdbc/JDBC4MysqlSQLXML.java-307 Can you please review it and provide a patch? [0] https://github.com/DrunkenShells/CVE-2021-2471
(In reply to Gianluca Gabrielli from comment #1) > Hi David, > > It seems that the two following packages are vulnerable: > - SUSE:SLE-15-SP2:Update/mysql-connector-java > - SUSE:SLE-12-SP1:Update/mysql-connector-java > > I have not found any official patch out there, but thanks to a public PoC > [0], I found the offending code: > > > return (T) new DOMSource(builder.parse(inputSource)); > > at > > - > SUSE:SLE-12-SP1:Update/mysql-connector-java/mysql-connector-java-8.0.25/src/ > main/user-impl/java/com/mysql/cj/jdbc/MysqlSQLXML.java-225 > - > SUSE:SLE-15-SP2:Update/mysql-connector-java/mysql-connector-java-5.1.47/src/ > com/mysql/jdbc/JDBC4MysqlSQLXML.java-307 > > Can you please review it and provide a patch? > > [0] https://github.com/DrunkenShells/CVE-2021-2471 Here is the solution from Oracle: setting setFeature on the XMLReader depending on what class this is instanced (https://github.com/mysql/mysql-connector-j/blob/7ff2161da3899f379fb3171b6538b191b1c5c7e2/src/main/user-impl/java/com/mysql/cj/jdbc/MysqlSQLXML.java#L196) I think we can easily patch this on all codestreams, but I didn't look into it yet.
openSUSE-SU-2022:0658-1: An update that fixes one vulnerability, contains one feature is now available. Category: security (moderate) Bug References: 1195557 CVE References: CVE-2021-2471 JIRA References: PM-3307 Sources used: openSUSE Leap 15.4 (src): mysql-connector-java-5.1.47-3.6.1 openSUSE Leap 15.3 (src): mysql-connector-java-5.1.47-3.6.1
Everything done, assigning back to security.
SUSE-SU-2022:1142-1: An update that fixes one vulnerability, contains one feature is now available. Category: security (moderate) Bug References: 1195557 CVE References: CVE-2021-2471 JIRA References: PM-3307 Sources used: SUSE OpenStack Cloud Crowbar 9 (src): mysql-connector-java-8.0.25-5.13.1 SUSE OpenStack Cloud Crowbar 8 (src): mysql-connector-java-8.0.25-5.13.1 SUSE OpenStack Cloud 9 (src): mysql-connector-java-8.0.25-5.13.1 SUSE OpenStack Cloud 8 (src): mysql-connector-java-8.0.25-5.13.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): mysql-connector-java-8.0.25-5.13.1 HPE Helion Openstack 8 (src): mysql-connector-java-8.0.25-5.13.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.