Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and eariler. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors.
Created mysql-connector-java tracking bugs for this issue:
Affects: fedora-all [bug 1444418]
Further details are now available via an advisory from the original issue reporter:
The advisory describes that the MySQL Connector/J can perform Java object deserialization even when autoDeserialize flag is set to false. In certain cases, a malicious MySQL server could use this flaw to execute arbitrary code on the client using the Connector/J.
There does not seem to be any mention of the issue in the 5.1.41 release notes:
RHMAP mysql-connector upgrades are done, will do a patch release on 4.5.0
This issue affects the versions of mysql-connector-java as shipped with Red Hat Enterprise Linux 6 and 7.