Bug 1444759 (CVE-2017-3523)

Summary: CVE-2017-3523 mysql-connector-java: Improper automatic deserialization of binary data (CPU Apr 2017)
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abhgupta, aileenc, avibelli, chazlett, databases-maint, drieden, gsterlin, gvarsami, hhorak, java-sig-commits, jbalunas, jcoleman, jshepherd, ldimaggi, mmuzila, mschorm, nwallace, pdrozd, puntogil, rrajasek, rwagner, sthorger, tcunning, tiwillia, tkirby, xjakub, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mysql-connector-java 5.1.41 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the MySQL Connector/J client could deserialize certain database contents, regardless of the "autoDeserialize" option. If the client processes data received from an untrusted or compromised database server, a remote attacker could exploit this flaw to cause remote code execution.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 11:53:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1444418, 1464466, 1464467    
Bug Blocks: 1444415    

Description Andrej Nemec 2017-04-24 08:29:56 UTC 
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and eariler. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors.

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL
Comment 1 Andrej Nemec 2017-04-24 08:31:44 UTC 
Created mysql-connector-java tracking bugs for this issue:

Affects: fedora-all [bug 1444418]
Comment 2 Tomas Hoger 2017-05-03 11:07:30 UTC 
Further details are now available via an advisory from the original issue reporter:

https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt

The advisory describes that the MySQL Connector/J can perform Java object deserialization even when autoDeserialize flag is set to false.  In certain cases, a malicious MySQL server could use this flaw to execute arbitrary code on the client using the Connector/J.

Upstream commit:

https://github.com/mysql/mysql-connector-j/commit/6189e718de5b6c6115aee45dd7a480081c129d68

There does not seem to be any mention of the issue in the 5.1.41 release notes:

https://dev.mysql.com/doc/relnotes/connector-j/5.1/en/news-5-1-41.html
Comment 4 Tomas Hoger 2017-05-03 11:09:16 UTC 
External References:

https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL
Comment 7 Jason Shepherd 2017-09-18 01:15:26 UTC 
RHMAP mysql-connector upgrades are done, will do a patch release on 4.5.0
Comment 11 Stefan Cornelius 2018-02-22 09:52:30 UTC 
Statement:

This issue affects the versions of mysql-connector-java as shipped with Red Hat Enterprise Linux 6 and 7.