https://bugzilla.redhat.com/show_bug.cgi?id=2020583
Bug ID: 2020583 Summary: CVE-2021-2471 mysql-connector-java: unauthorized access to critical Product: Security Response Hardware: All OS: Linux Status: NEW Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: mrehak@redhat.com CC: aileenc@redhat.com, akoufoud@redhat.com, alazarot@redhat.com, almorale@redhat.com, anstephe@redhat.com, asoldano@redhat.com, atangrin@redhat.com, bbaranow@redhat.com, bbuckingham@redhat.com, bcourt@redhat.com, bibryam@redhat.com, bkearney@redhat.com, bmaxwell@redhat.com, bmontgom@redhat.com, brian.stansberry@redhat.com, btotty@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, darran.lofthouse@redhat.com, databases-maint@redhat.com, dkreling@redhat.com, dosoudil@redhat.com, drieden@redhat.com, ehelms@redhat.com, eleandro@redhat.com, eparis@redhat.com, etirelli@redhat.com, fjuma@redhat.com, ggaughan@redhat.com, gmalinko@redhat.com, gmorling@redhat.com, hbraun@redhat.com, hhorak@redhat.com, ibek@redhat.com, iweiss@redhat.com, janstey@redhat.com, java-sig-commits@lists.fedoraproject.org, jburrell@redhat.com, jjanco@redhat.com, jnethert@redhat.com, jochrist@redhat.com, jokerman@redhat.com, jolee@redhat.com, jpallich@redhat.com, jpechane@redhat.com, jperkins@redhat.com, jrokos@redhat.com, jschatte@redhat.com, jsherril@redhat.com, jstastny@redhat.com, jwon@redhat.com, krathod@redhat.com, kverlaen@redhat.com, kwills@redhat.com, lgao@redhat.com, ljavorsk@redhat.com, lzap@redhat.com, mhulan@redhat.com, mkulik@redhat.com, mmccune@redhat.com, mmuzila@redhat.com, mnovotny@redhat.com, mschorm@redhat.com, msochure@redhat.com, msvehla@redhat.com, myarboro@redhat.com, nmoumoul@redhat.com, nstielau@redhat.com, nwallace@redhat.com, odubaj@redhat.com, orabin@redhat.com, pantinor@redhat.com, pcreech@redhat.com, pdelbell@redhat.com, pjindal@redhat.com, pmackay@redhat.com, puntogil@libero.it, rchan@redhat.com, rguimara@redhat.com, rrajasek@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, smaestri@redhat.com, sponnaga@redhat.com, steve.traylen@cern.ch, tbrisker@redhat.com, tom.jenkinson@redhat.com, tzimanyi@redhat.com, xjakub@fi.muni.cz, yborgess@redhat.com, zmiklank@redhat.com Target Milestone: --- Classification: Other
Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash.
External Reference:
https://www.oracle.com/security-alerts/cpuoct2021.html
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
Marian Rehak mrehak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2020585 Depends On| |2020584
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=2020584 [Bug 2020584] CVE-2021-2471 mysql-connector-java: unauthorized access to critical [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
--- Comment #1 from Marian Rehak mrehak@redhat.com --- Created mysql-connector-java tracking bugs for this issue:
Affects: fedora-all [bug 2020584]
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
Sandipan Roy saroy@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |MySQL Connector/J 8.0.27
--- Doc Text *updated* --- MySQL Connector/J has no security check when external general entities are included in XML sources, consequently, there exists an XML External Entity(XXE) vulnerability. A successful attack can access to critical data or gain full control/access to all MySQL Connectors' accessible data without any authorization.
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
Eric Christensen sparks@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |vkumar@redhat.com
--- Doc Text *updated* --- MySQL Connector/J has no security check when external general entities are included in XML sources, consequently, there exists an XML External Entity(XXE) vulnerability. A successful attack can access critical data and gain full control/access to all MySQL Connectors' accessible data without any authorization.
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
--- Comment #3 from Jonathan Christison jochrist@redhat.com --- We disagree with some aspects of this base flaw's scoring and suggest the following corrections
Exploitability Metrics:
Privileges Required (PR:H) -
We disagree here. We believe it should be None (PR:N) instead of High as the description says[1]: "Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors" and also there is no evidence that an attacker needs to be privileged to exploit this flaw, though it is end-application implementation dependent this is covered under the attack complexity metric.
Current Score: 5.9/CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H Suggested Score: 7.4/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H
[1] https://nvd.nist.gov/vuln/detail/CVE-2021-2471
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
--- Comment #4 from Jonathan Christison jochrist@redhat.com --- This vulnerability is out of security support scope for the following products:
* Red Hat JBoss Fuse 6 * Red Hat JBoss Data Virtualization 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
--- Comment #8 from Jonathan Christison jochrist@redhat.com --- Marking Red Hat Integration Debezium as having a low impact, this is because although Debezium distributes a vulnerable version of the mysql connector the SQLXML implementation is not used in a way that can be exploited (MysqlSQLXML::getSource() is never invoked)
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
--- Comment #10 from Chess Hazlett chazlett@redhat.com --- Red Hat Process Automation Manager and Decision Manager as set as low impact, as they ship an affected version (8.0.16) of the component but do not utilize mysql-sqlxml.getSource() anywhere in the code.
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
Yadnyawalk Tale ytale@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |2028345
https://bugzilla.redhat.com/show_bug.cgi?id=2020583 Bug 2020583 depends on bug 2020584, which changed state.
Bug 2020584 Summary: CVE-2021-2471 mysql-connector-java: unauthorized access to critical [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=2020584
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |CURRENTRELEASE
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
--- Comment #16 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat build of Quarkus 2.2.5
Via RHSA-2022:0589 https://access.redhat.com/errata/RHSA-2022:0589
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:0589
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
--- Comment #17 from Product Security DevOps Team prodsec-dev@redhat.com --- This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2021-2471
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
Product Security DevOps Team prodsec-dev@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |ERRATA Status|NEW |CLOSED Last Closed| |2022-03-02 21:33:59
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
--- Comment #18 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHINT Camel-Q 2.2.1
Via RHSA-2022:1013 https://access.redhat.com/errata/RHSA-2022:1013
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:1013
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
--- Comment #19 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.11
Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:5532
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
--- Comment #20 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHPAM 7.13.0 async
Via RHSA-2022:5903 https://access.redhat.com/errata/RHSA-2022:5903
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:5903
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
--- Comment #21 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
RHAF Camel-K 1.8
Via RHSA-2022:6407 https://access.redhat.com/errata/RHSA-2022:6407
https://bugzilla.redhat.com/show_bug.cgi?id=2020583
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Link ID| |Red Hat Product Errata | |RHSA-2022:6407
java-sig-commits@lists.stg.fedoraproject.org
-
bugzilla@redhat.com