We have found a new vulnerability in MySQL Connector/J (CVE-2023-21971). Oracle issued a critical path update that fixed the issue on April 18, 2023. The vulnerability was found as part of our collaboration with Google’s OSS-Fuzz.
Vulnerability Description
The issue existed in the java.sql.DriverManager.getConnection() method when used with untrusted inputs. The connection property propertiesTransform can be abused to load and execute arbitrary classes. The following example illustrates the vulnerability:
conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" + "user=test&password=test&propertiesTransform=com.example.MyArbitraryClass");
In this example, the static initializer of com.example.MyArbitraryClass will be executed even if the class does not implement the ConnectionPropertiesTransform interface.
Impact and Risks
The discovered vulnerability allows attackers to compromise MySQL connectors. Successful attacks of this vulnerability can result in the following:
- Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.
- Unauthorized update, insert or delete access to some of MySQL Connectors' accessible data.
- Unauthorized read access to a subset of MySQL Connectors accessible data.
- Arbitrary code execution.
Mitigation and Remediation
Supported versions that are affected are 8.0.32 and prior. Oracle issued a critical patch update that fixed this vulnerability on April 18, 2023. We strongly recommend that impacted users upgrade to the newer version that includes the fixes, i.e., 8.0.33.
Supply Chain Attacks
MySQL Connector/J is an Oracle JDBC driver that you can use to interact with MySQL databases from your Java applications. This vulnerability is an example of the security risks associated with software supply chains. As high-profile vulnerabilities like Log4Shell and Spring4Shell have shown, relying on libraries or components that contain security vulnerabilities can render the whole software system vulnerable. Over the past three years, there has been a 742% average annual increase in software supply chain attacks, emphasizing the need to address the security of software supply chain at the ecosystem level.
References
- https://www.oracle.com/security-alerts/cpuapr2023.html
- https://nvd.nist.gov/vuln/detail/CVE-2023-21971
Acknowledgments
We thank the maintainers for responding to the issue and providing a fix and new releases.