Bug 2020583 (CVE-2021-2471) - CVE-2021-2471 mysql-connector-java: unauthorized access to critical
Summary: CVE-2021-2471 mysql-connector-java: unauthorized access to critical
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-2471
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2020584 2028345
Blocks: 2020585
TreeView+ depends on / blocked
 
Reported: 2021-11-05 10:29 UTC by Marian Rehak
Modified: 2022-03-22 15:35 UTC (History)
106 users (show)

Fixed In Version: MySQL Connector/J 8.0.27
Doc Type: If docs needed, set a value
Doc Text:
MySQL Connector/J has no security check when external general entities are included in XML sources, consequently, there exists an XML External Entity(XXE) vulnerability. A successful attack can access critical data and gain full control/access to all MySQL Connectors' accessible data without any authorization.
Clone Of:
Environment:
Last Closed: 2022-03-02 21:33:59 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0589 0 None None None 2022-02-21 18:23:37 UTC
Red Hat Product Errata RHSA-2022:1013 0 None None None 2022-03-22 15:35:08 UTC

Description Marian Rehak 2021-11-05 10:29:34 UTC
Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash.

External Reference:

https://www.oracle.com/security-alerts/cpuoct2021.html

Comment 1 Marian Rehak 2021-11-05 10:30:07 UTC
Created mysql-connector-java tracking bugs for this issue:

Affects: fedora-all [bug 2020584]

Comment 3 Jonathan Christison 2021-11-10 17:38:10 UTC
We disagree with some aspects of this base flaw's scoring and suggest the following corrections
     
Exploitability Metrics:
     
Privileges Required (PR:H) - 

We disagree here. We believe it should be None (PR:N) instead of High as the description says[1]: "Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors" and also there is no evidence that an attacker needs to be privileged to exploit this flaw, though it is end-application implementation dependent this is covered under the attack complexity metric.
     
    Current Score:   5.9/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H
    Suggested Score: 7.4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
     
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-2471

Comment 4 Jonathan Christison 2021-11-15 13:19:35 UTC
This vulnerability is out of security support scope for the following products:

 * Red Hat JBoss Fuse 6
 * Red Hat JBoss Data Virtualization 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 8 Jonathan Christison 2021-11-18 14:50:39 UTC
Marking Red Hat Integration Debezium as having a low impact, this is because although Debezium distributes a vulnerable version of the mysql connector the SQLXML implementation is not used in a way that can be exploited (MysqlSQLXML::getSource() is never invoked)

Comment 10 Chess Hazlett 2021-11-19 01:14:39 UTC
Red Hat Process Automation Manager and Decision Manager as set as low impact, as they ship an affected version (8.0.16) of the component but do not utilize mysql-sqlxml.getSource() anywhere in the code.

Comment 16 errata-xmlrpc 2022-02-21 18:23:30 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.2.5

Via RHSA-2022:0589 https://access.redhat.com/errata/RHSA-2022:0589

Comment 17 Product Security DevOps Team 2022-03-02 21:33:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-2471

Comment 18 errata-xmlrpc 2022-03-22 15:35:01 UTC
This issue has been addressed in the following products:

  RHINT Camel-Q 2.2.1

Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013


Note You need to log in before you can comment on or make changes to this bug.