Bug#912916: mysql-connector-java: CVE-2018-3258: allows low privileged attacker to compromise it
Moritz Mühlenhoff
jmm at inutil.org
Thu Nov 8 18:34:51 GMT 2018
On Mon, Nov 05, 2018 at 02:13:39PM +0100, Moritz Mühlenhoff wrote:
> On Sun, Nov 04, 2018 at 10:35:42PM +0100, Markus Koschany wrote:
> > Package: mysql-connector-java
> > X-Debbugs-CC: team at security.debian.org
> > Severity: grave
> > Tags: security
> >
> > Hi,
> >
> > The following vulnerability was published for mysql-connector-java.
> >
> > CVE-2018-3258[0]:
> > | Vulnerability in the MySQL Connectors component of Oracle MySQL
> > | (subcomponent: Connector/J). Supported versions that are affected are
> > | 8.0.12 and prior. Easily exploitable vulnerability allows low
> > | privileged attacker with network access via multiple protocols to
> > | compromise MySQL Connectors. Successful attacks of this vulnerability
> > | can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8
> > | (Confidentiality, Integrity and Availability impacts). CVSS Vector:
> > | (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
So upon a closer look this seems to only affect the 8.x releases of the
connector (Oracle only lists those affected release series which are
affected and this only lists 8.x, while 5.1.x is still supported; there's
a 5.1.47 release).
Still, this is good example why we should phase out mysql-connector-java
in favour of the more transparent mariadb-connector-java, so let's maybe
reuse this bug for tracking this? (Especially given Tony's experience
that the migration is rather straightforward).
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list