Bug 2020583 (CVE-2021-2471) - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
Summary: CVE-2021-2471 mysql-connector-java: unauthorized access to critical
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-2471
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2020584 2028345
Blocks: 2020585
TreeView+ depends on / blocked
 
Reported: 2021-11-05 10:29 UTC by Marian Rehak
Modified: 2024-02-06 04:56 UTC (History)
106 users (show)

Fixed In Version: MySQL Connector/J 8.0.27
Clone Of:
Environment:
Last Closed: 2022-03-02 21:33:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0589 0 None None None 2022-02-21 18:23:37 UTC
Red Hat Product Errata RHSA-2022:1013 0 None None None 2022-03-22 15:35:08 UTC
Red Hat Product Errata RHSA-2022:5532 0 None None None 2022-07-07 14:21:36 UTC
Red Hat Product Errata RHSA-2022:5903 0 None None None 2022-08-04 04:47:37 UTC
Red Hat Product Errata RHSA-2022:6407 0 None None None 2022-09-09 07:13:04 UTC

Description Marian Rehak 2021-11-05 10:29:34 UTC 
Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash.

External Reference:

https://www.oracle.com/security-alerts/cpuoct2021.html
Comment 1 Marian Rehak 2021-11-05 10:30:07 UTC 
Created mysql-connector-java tracking bugs for this issue:

Affects: fedora-all [bug 2020584]
Comment 3 Jonathan Christison 2021-11-10 17:38:10 UTC 
We disagree with some aspects of this base flaw's scoring and suggest the following corrections
     
Exploitability Metrics:
     
Privileges Required (PR:H) - 

We disagree here. We believe it should be None (PR:N) instead of High as the description says[1]: "Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors" and also there is no evidence that an attacker needs to be privileged to exploit this flaw, though it is end-application implementation dependent this is covered under the attack complexity metric.
     
    Current Score:   5.9/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H
    Suggested Score: 7.4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
     
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-2471
Comment 4 Jonathan Christison 2021-11-15 13:19:35 UTC 
This vulnerability is out of security support scope for the following products:

 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Data Virtualization 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 8 Jonathan Christison 2021-11-18 14:50:39 UTC 
Marking Red Hat Integration Debezium as having a low impact, this is because although Debezium distributes a vulnerable version of the mysql connector the SQLXML implementation is not used in a way that can be exploited (MysqlSQLXML::getSource() is never invoked)
Comment 10 Chess Hazlett 2021-11-19 01:14:39 UTC 
Red Hat Process Automation Manager and Decision Manager as set as low impact, as they ship an affected version (8.0.16) of the component but do not utilize mysql-sqlxml.getSource() anywhere in the code.
Comment 16 errata-xmlrpc 2022-02-21 18:23:30 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.2.5

Via RHSA-2022:0589 https://access.redhat.com/errata/RHSA-2022:0589
Comment 17 Product Security DevOps Team 2022-03-02 21:33:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-2471
Comment 18 errata-xmlrpc 2022-03-22 15:35:01 UTC 
This issue has been addressed in the following products:

  RHINT Camel-Q 2.2.1

Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013
Comment 19 errata-xmlrpc 2022-07-07 14:21:31 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
Comment 20 errata-xmlrpc 2022-08-04 04:47:33 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.0 async

Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903
Comment 21 errata-xmlrpc 2022-09-09 07:12:58 UTC 
This issue has been addressed in the following products:

  RHAF Camel-K 1.8

Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407
Note You need to log in before you can comment on or make changes to this bug.