Skip to content
Close
Login
Login
Roman Wagner1 min read

New Vulnerability in MySQL JDBC Driver: RCE and Unauthorized DB Access

We have found a new vulnerability in MySQL Connector/J (CVE-2023-21971). Oracle issued a critical path update that fixed the issue on April 18, 2023. The vulnerability was found as part of our collaboration with Google’s OSS-Fuzz.

Vulnerability Description

The issue existed in the java.sql.DriverManager.getConnection() method when used with untrusted inputs. The connection property propertiesTransform can be abused to load and execute arbitrary classes. The following example illustrates the vulnerability:

conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" + "user=test&password=test&propertiesTransform=com.example.MyArbitraryClass");

In this example, the static initializer of com.example.MyArbitraryClass will be executed even if the class does not implement the ConnectionPropertiesTransform interface.

Impact and Risks

The discovered vulnerability allows attackers to compromise MySQL connectors. Successful attacks of this vulnerability can result in the following:

  • Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.
  • Unauthorized update, insert or delete access to some of MySQL Connectors' accessible data.
  • Unauthorized read access to a subset of MySQL Connectors accessible data.
  • Arbitrary code execution.

Mitigation and Remediation

Supported versions that are affected are 8.0.32 and prior. Oracle issued a critical patch update that fixed this vulnerability on April 18, 2023. We strongly recommend that impacted users upgrade to the newer version that includes the fixes, i.e., 8.0.33.

Supply Chain Attacks

MySQL Connector/J is an Oracle JDBC driver that you can use to interact with MySQL databases from your Java applications. This vulnerability is an example of the security risks associated with software supply chains. As high-profile vulnerabilities like Log4Shell and Spring4Shell have shown, relying on libraries or components that contain security vulnerabilities can render the whole software system vulnerable. Over the past three years, there has been a 742% average annual increase in software supply chain attacks, emphasizing the need to address the security of software supply chain at the ecosystem level.

References

Acknowledgments

We thank the maintainers for responding to the issue and providing a fix and new releases.

Related Articles