Bug 1444759 (CVE-2017-3523) - CVE-2017-3523 mysql-connector-java: Improper automatic deserialization of binary data (CPU Apr 2017)
Summary: CVE-2017-3523 mysql-connector-java: Improper automatic deserialization of bin...
Keywords:
Status: NEW
Alias: CVE-2017-3523
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1444418 1464466 1464467
Blocks: 1444415
TreeView+ depends on / blocked
 
Reported: 2017-04-24 08:29 UTC by Andrej Nemec
Modified: 2019-09-29 14:11 UTC (History)
28 users (show)

Fixed In Version: mysql-connector-java 5.1.41
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that the MySQL Connector/J client could deserialize certain database contents, regardless of the "autoDeserialize" option. If the client processes data received from an untrusted or compromised database server, a remote attacker could exploit this flaw to cause remote code execution.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Andrej Nemec 2017-04-24 08:29:56 UTC
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and eariler. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors.

http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL

Comment 1 Andrej Nemec 2017-04-24 08:31:44 UTC
Created mysql-connector-java tracking bugs for this issue:

Affects: fedora-all [bug 1444418]

Comment 2 Tomas Hoger 2017-05-03 11:07:30 UTC
Further details are now available via an advisory from the original issue reporter:

https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt

The advisory describes that the MySQL Connector/J can perform Java object deserialization even when autoDeserialize flag is set to false.  In certain cases, a malicious MySQL server could use this flaw to execute arbitrary code on the client using the Connector/J.

Upstream commit:

https://github.com/mysql/mysql-connector-j/commit/6189e718de5b6c6115aee45dd7a480081c129d68

There does not seem to be any mention of the issue in the 5.1.41 release notes:

https://dev.mysql.com/doc/relnotes/connector-j/5.1/en/news-5-1-41.html

Comment 7 Jason Shepherd 2017-09-18 01:15:26 UTC
RHMAP mysql-connector upgrades are done, will do a patch release on 4.5.0

Comment 11 Stefan Cornelius 2018-02-22 09:52:30 UTC
Statement:

This issue affects the versions of mysql-connector-java as shipped with Red Hat Enterprise Linux 6 and 7.


Note You need to log in before you can comment on or make changes to this bug.