Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 862339 (CVE-2022-21363)

Summary: <dev-java/jdbc-mysql-8.0.32: vulnerability can result in takeover of MySQL Connectors (Oracle CPU January 2022)
Product: Gentoo Security Reporter: Volkmar W. Pogatzki <gentoo>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: fordfrog
Priority: Normal Keywords: PullRequest
Version: unspecified   
Hardware: All   
OS: Linux   
See Also: https://github.com/gentoo/gentoo/pull/30300
Whiteboard: B3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on: 902799    
Bug Blocks:    

Description Volkmar W. Pogatzki 2022-07-30 12:12:53 UTC 
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Comment 1 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-07-30 15:44:13 UTC 
Thanks! Modifying summary to indicate there's not a fixed version in tree yet.
Comment 2 Larry the Git Cow gentoo-dev 2023-03-23 06:48:09 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=dbd9abcca9642479b29ba88ab284a4d15040eaba

commit dbd9abcca9642479b29ba88ab284a4d15040eaba
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2022-06-24 08:48:53 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-03-23 06:48:03 +0000

    dev-java/jdbc-mysql: add 8.0.32 - CVE-2022-21363
    
    Bug: https://bugs.gentoo.org/862339
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/30300
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/jdbc-mysql/Manifest                 |  2 +
 dev-java/jdbc-mysql/jdbc-mysql-8.0.32.ebuild | 56 ++++++++++++++++++++++++++++
 dev-java/jdbc-mysql/metadata.xml             |  3 ++
 3 files changed, 61 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2023-03-23 11:00:49 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8ffd7478dcaa4b42789c3c0d02f807000548d46

commit a8ffd7478dcaa4b42789c3c0d02f807000548d46
Author:     Miroslav Šulc <fordfrog@gentoo.org>
AuthorDate: 2023-03-23 11:00:32 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2023-03-23 11:00:32 +0000

    dev-java/jdbc-mysql: dropped obsolete and vulnerable 8.0.26
    
    Bug: https://bugs.gentoo.org/862339
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 dev-java/jdbc-mysql/Manifest                 |  1 -
 dev-java/jdbc-mysql/jdbc-mysql-8.0.26.ebuild | 54 ----------------------------
 2 files changed, 55 deletions(-)
Comment 4 Miroslav Šulc gentoo-dev 2023-03-23 11:01:13 UTC 
the tree is clean now, you can proceed.
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2023-04-30 22:12:45 UTC 
Thanks! Difficult to exploit so no GLSA. All done!