Bug 2020583 (CVE-2021-2471)
Summary: | CVE-2021-2471 mysql-connector-java: unauthorized access to critical | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, akoufoud, alazarot, anstephe, aos-bugs, asoldano, atangrin, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bibryam, bkearney, bmaxwell, bmontgom, brian.stansberry, btotty, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, databases-maint, dkreling, dosoudil, drieden, ehelms, eleandro, eparis, etirelli, fjuma, ggaughan, gmalinko, gmorling, gsmet, hamadhan, hbraun, hhorak, ibek, iweiss, janstey, java-sig-commits, jburrell, jjanco, jnethert, jochrist, jolee, jpallich, jpechane, jperkins, jrokos, jschatte, jsherril, jstastny, jwon, krathod, kverlaen, kwills, lgao, ljavorsk, lthon, lzap, mhulan, mkulik, mmccune, mmuzila, mnovotny, mschorm, msochure, msvehla, mszynkie, myarboro, nmoumoul, nstielau, nwallace, odubaj, orabin, pantinor, pcreech, pdelbell, peholase, pgallagh, pjindal, pmackay, probinso, puntogil, rchan, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sd-operator-metering, sdouglas, smaestri, sponnaga, steve.traylen, tflannag, tom.jenkinson, tzimanyi, vkumar, xjakub, yborgess, zmiklank |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | MySQL Connector/J 8.0.27 | Doc Type: | If docs needed, set a value |
Doc Text: |
MySQL Connector/J has no security check when external general entities are included in XML sources, consequently, there exists an XML External Entity(XXE) vulnerability. A successful attack can access critical data and gain full control/access to all MySQL Connectors' accessible data without any authorization.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-03-02 21:33:59 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2020584, 2028345 | ||
Bug Blocks: | 2020585 |
Description
Marian Rehak
2021-11-05 10:29:34 UTC
Created mysql-connector-java tracking bugs for this issue: Affects: fedora-all [bug 2020584] We disagree with some aspects of this base flaw's scoring and suggest the following corrections Exploitability Metrics: Privileges Required (PR:H) - We disagree here. We believe it should be None (PR:N) instead of High as the description says[1]: "Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors" and also there is no evidence that an attacker needs to be privileged to exploit this flaw, though it is end-application implementation dependent this is covered under the attack complexity metric. Current Score: 5.9/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H Suggested Score: 7.4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H [1] https://nvd.nist.gov/vuln/detail/CVE-2021-2471 This vulnerability is out of security support scope for the following products: * Red Hat JBoss Fuse 6 * Red Hat JBoss Data Virtualization 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. Marking Red Hat Integration Debezium as having a low impact, this is because although Debezium distributes a vulnerable version of the mysql connector the SQLXML implementation is not used in a way that can be exploited (MysqlSQLXML::getSource() is never invoked) Red Hat Process Automation Manager and Decision Manager as set as low impact, as they ship an affected version (8.0.16) of the component but do not utilize mysql-sqlxml.getSource() anywhere in the code. This issue has been addressed in the following products: Red Hat build of Quarkus 2.2.5 Via RHSA-2022:0589 https://access.redhat.com/errata/RHSA-2022:0589 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-2471 This issue has been addressed in the following products: RHINT Camel-Q 2.2.1 Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013 This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532 This issue has been addressed in the following products: RHPAM 7.13.0 async Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903 This issue has been addressed in the following products: RHAF Camel-K 1.8 Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407 |