1851019 – (CVE-2020-2875) CVE-2020-2875 mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete

Bug 1851019 (CVE-2020-2875) - CVE-2020-2875 mysql-connector-java: allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors which could result in unauthorized update, insert or delete

Summary: CVE-2020-2875 mysql-connector-java: allows unauthenticated attacker with netw...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2020-2875
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1851020
Blocks:	1851025
TreeView+	depends on / blocked

Reported:	2020-06-25 12:41 UTC by Michael Kaplan
Modified:	2023-12-15 18:17 UTC (History)
CC List:	83 users (show)
Fixed In Version:	mysql-connector-java 8.0.15, mysql-connector-java 5.1.49
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the mysql-connector-java package. A complicated attack against the mysql Connector/J allows attackers on the local network to interfere with a user's connection and insert unauthorized SQL commands in MySQL Connectors and other products.
Clone Of:
Environment:
Last Closed:	2020-11-05 20:21:25 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:4960	None	None	None	2020-11-05 18:47:57 UTC
Red Hat Product Errata	RHSA-2020:4961	None	None	None	2020-11-05 18:49:22 UTC
Red Hat Product Errata	RHSA-2021:5134	None	None	None	2021-12-14 21:32:56 UTC

Description Michael Kaplan 2020-06-25 12:41:17 UTC

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. 

References:

https://www.oracle.com/security-alerts/cpuapr2020.html
https://lists.debian.org/debian-lts-announce/2020/06/msg00015.html 	
https://www.debian.org/security/2020/dsa-4703

Comment 1 Michael Kaplan 2020-06-25 12:43:36 UTC

Created mysql-connector-java tracking bugs for this issue:

Affects: fedora-all [bug 1851020]

Comment 4 Kunjan Rathod 2020-06-26 04:31:37 UTC

This vulnerability is out of security support scope for the following products:
 * Red Hat Enterprise Application Platform 6
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss Fuse Service Works(FSW) 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 8 Doran Moppert 2020-07-15 06:09:17 UTC

Statement:

Red Hat Enterprise Linux customers are advised to replace the mysql-connector-java package with the mariadb-java-client, available in Red Hat Software Collections.  It can be installed this way:

  # yum-config-manager --enable rhel-server-rhscl-7-rpms

  # yum install rh-mariadb103-mariadb-java-client

Comment 9 errata-xmlrpc 2020-11-05 18:48:10 UTC

This issue has been addressed in the following products:

  RHDM 7.9.0

Via RHSA-2020:4960 https://access.redhat.com/errata/RHSA-2020:4960

Comment 10 errata-xmlrpc 2020-11-05 18:49:18 UTC

This issue has been addressed in the following products:

  RHPAM 7.9.0

Via RHSA-2020:4961 https://access.redhat.com/errata/RHSA-2020:4961

Comment 11 Product Security DevOps Team 2020-11-05 20:21:25 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-2875

Comment 12 errata-xmlrpc 2021-12-14 21:32:52 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134

Note You need to log in before you can comment on or make changes to this bug.

aboyko
aileenc
akoufoud
alazarot
almorale
anstephe
asoldano
atangrin
avibelli
bbaranow
bgeorges
bibryam
bmaxwell
brian.stansberry
cdewolf
chazlett
clement.escoffier
dandread
darran.lofthouse
databases-maint
dkreling
dosoudil
drieden
etirelli
ganandan
ggaughan
gmalinko
gmorling
gsmet
gvarsami
hhorak
ibek
iweiss
janstey
java-sig-commits
jawilson
jbalunas
jcoleman
jjanco
jochrist
jolee
jpallich
jperkins
jschatte
jstastny
jwon
kconner
krathod
kverlaen
kwills
ldimaggi
lgao
lthon
mmuzila
mnovotny
mschorm
msochure
msvehla
mszynkie
nwallace
odubaj
pantinor
pgallagh
pjindal
pmackay
psotirop
puntogil
rguimara
rrajasek
rruss
rstancel
rsvoboda
rsynek
rwagner
sbiarozk
sdaley
sdouglas
smaestri
steve.traylen
tcunning
tkirby
tom.jenkinson
xjakub