862339 – (CVE-2022-21363) <dev-java/jdbc-mysql-8.0.32: vulnerability can result in takeover of MySQL Connectors (Oracle CPU January 2022)

Bug 862339 (CVE-2022-21363) - <dev-java/jdbc-mysql-8.0.32: vulnerability can result in takeover of MySQL Connectors (Oracle CPU January 2022)

Summary: <dev-java/jdbc-mysql-8.0.32: vulnerability can result in takeover of MySQL Co...

Status:	RESOLVED FIXED

Alias:	CVE-2022-21363

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [noglsa]
Keywords:	PullRequest

Depends on:	902799
Blocks:
	Show dependency tree

Reported:	2022-07-30 12:12 UTC by Volkmar W. Pogatzki
Modified:	2023-04-30 22:12 UTC (History)
CC List:	1 user (show)

See Also:	https://github.com/gentoo/gentoo/pull/30300
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Volkmar W. Pogatzki 2022-07-30 12:12:53 UTC

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

Comment 1 John Helmert III archtester

2022-07-30 15:44:13 UTC

Thanks! Modifying summary to indicate there's not a fixed version in tree yet.

Comment 2 Larry the Git Cow gentoo-dev

2023-03-23 06:48:09 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dbd9abcca9642479b29ba88ab284a4d15040eaba

commit dbd9abcca9642479b29ba88ab284a4d15040eaba
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-06-24 08:48:53 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-03-23 06:48:03 +0000

    dev-java/jdbc-mysql: add 8.0.32 - CVE-2022-21363
    
    Bug: https://bugs.gentoo.org/862339
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/30300
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/jdbc-mysql/Manifest                 |  2 +
 dev-java/jdbc-mysql/jdbc-mysql-8.0.32.ebuild | 56 ++++++++++++++++++++++++++++
 dev-java/jdbc-mysql/metadata.xml             |  3 ++
 3 files changed, 61 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2023-03-23 11:00:49 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8ffd7478dcaa4b42789c3c0d02f807000548d46

commit a8ffd7478dcaa4b42789c3c0d02f807000548d46
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2023-03-23 11:00:32 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-03-23 11:00:32 +0000

    dev-java/jdbc-mysql: dropped obsolete and vulnerable 8.0.26
    
    Bug: https://bugs.gentoo.org/862339
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/jdbc-mysql/Manifest                 |  1 -
 dev-java/jdbc-mysql/jdbc-mysql-8.0.26.ebuild | 54 ----------------------------
 2 files changed, 55 deletions(-)

Comment 4 Miroslav Šulc gentoo-dev

2023-03-23 11:01:13 UTC

the tree is clean now, you can proceed.

Comment 5 John Helmert III archtester

2023-04-30 22:12:45 UTC

Thanks! Difficult to exploit so no GLSA. All done!