Bug 2020583 (CVE-2021-2471)

Summary: CVE-2021-2471 mysql-connector-java: unauthorized access to critical
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, akoufoud, alazarot, anstephe, aos-bugs, asoldano, atangrin, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bibryam, bkearney, bmaxwell, bmontgom, brian.stansberry, btotty, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, databases-maint, dkreling, dosoudil, drieden, ehelms, eleandro, eparis, etirelli, fjuma, ggaughan, gmalinko, gmorling, gsmet, hamadhan, hbraun, hhorak, ibek, iweiss, janstey, java-sig-commits, jburrell, jjanco, jnethert, jochrist, jolee, jpallich, jpechane, jperkins, jrokos, jschatte, jsherril, jstastny, jwon, krathod, kverlaen, kwills, lgao, ljavorsk, lthon, lzap, mhulan, mkulik, mmccune, mmuzila, mnovotny, mschorm, msochure, msvehla, mszynkie, myarboro, nmoumoul, nstielau, nwallace, odubaj, orabin, pantinor, pcreech, pdelbell, peholase, pgallagh, pjindal, pmackay, probinso, puntogil, rchan, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sd-operator-metering, sdouglas, smaestri, sponnaga, steve.traylen, tflannag, tom.jenkinson, tzimanyi, vkumar, xjakub, yborgess, zmiklank
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: MySQL Connector/J 8.0.27 Doc Type: If docs needed, set a value
Doc Text:
MySQL Connector/J has no security check when external general entities are included in XML sources, consequently, there exists an XML External Entity(XXE) vulnerability. A successful attack can access critical data and gain full control/access to all MySQL Connectors' accessible data without any authorization.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-02 21:33:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2020584, 2028345    
Bug Blocks: 2020585    

Description Marian Rehak 2021-11-05 10:29:34 UTC 
Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash.

External Reference:

https://www.oracle.com/security-alerts/cpuoct2021.html
Comment 1 Marian Rehak 2021-11-05 10:30:07 UTC 
Created mysql-connector-java tracking bugs for this issue:

Affects: fedora-all [bug 2020584]
Comment 3 Jonathan Christison 2021-11-10 17:38:10 UTC 
We disagree with some aspects of this base flaw's scoring and suggest the following corrections
     
Exploitability Metrics:
     
Privileges Required (PR:H) - 

We disagree here. We believe it should be None (PR:N) instead of High as the description says[1]: "Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors" and also there is no evidence that an attacker needs to be privileged to exploit this flaw, though it is end-application implementation dependent this is covered under the attack complexity metric.
     
    Current Score:   5.9/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H
    Suggested Score: 7.4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
     
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-2471
Comment 4 Jonathan Christison 2021-11-15 13:19:35 UTC 
This vulnerability is out of security support scope for the following products:

 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Data Virtualization 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 8 Jonathan Christison 2021-11-18 14:50:39 UTC 
Marking Red Hat Integration Debezium as having a low impact, this is because although Debezium distributes a vulnerable version of the mysql connector the SQLXML implementation is not used in a way that can be exploited (MysqlSQLXML::getSource() is never invoked)
Comment 10 Chess Hazlett 2021-11-19 01:14:39 UTC 
Red Hat Process Automation Manager and Decision Manager as set as low impact, as they ship an affected version (8.0.16) of the component but do not utilize mysql-sqlxml.getSource() anywhere in the code.
Comment 16 errata-xmlrpc 2022-02-21 18:23:30 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.2.5

Via RHSA-2022:0589 https://access.redhat.com/errata/RHSA-2022:0589
Comment 17 Product Security DevOps Team 2022-03-02 21:33:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-2471
Comment 18 errata-xmlrpc 2022-03-22 15:35:01 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.2.1

Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013
Comment 19 errata-xmlrpc 2022-07-07 14:21:31 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
Comment 20 errata-xmlrpc 2022-08-04 04:47:33 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.0 async

Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903
Comment 21 errata-xmlrpc 2022-09-09 07:12:58 UTC 
This issue has been addressed in the following products:

  RHAF Camel-K 1.8

Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407