Red Hat Bugzilla – Bug 1444759
CVE-2017-3523 mysql-connector-java: Improper automatic deserialization of binary data (CPU Apr 2017)
Last modified: 2018-06-29 18:20:05 EDT
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and eariler. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL
Created mysql-connector-java tracking bugs for this issue: Affects: fedora-all [bug 1444418]
Further details are now available via an advisory from the original issue reporter: https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt The advisory describes that the MySQL Connector/J can perform Java object deserialization even when autoDeserialize flag is set to false. In certain cases, a malicious MySQL server could use this flaw to execute arbitrary code on the client using the Connector/J. Upstream commit: https://github.com/mysql/mysql-connector-j/commit/6189e718de5b6c6115aee45dd7a480081c129d68 There does not seem to be any mention of the issue in the 5.1.41 release notes: https://dev.mysql.com/doc/relnotes/connector-j/5.1/en/news-5-1-41.html
External References: https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL
RHMAP mysql-connector upgrades are done, will do a patch release on 4.5.0
Statement: This issue affects the versions of mysql-connector-java as shipped with Red Hat Enterprise Linux 6 and 7.