Vulnerability from csaf_suse
Published
2023-05-18 07:52
Modified
2023-05-18 07:52
Summary
Security update for mysql-connector-java

Notes

Title of the patch
Security update for mysql-connector-java
Description of the patch
This update for mysql-connector-java fixes the following issues: - CVE-2023-21971: Fixed a crash in MySQL Connectors that could be triggered by an authenticated remote user (bsc#1211247). - Ship protobuf 3.9.2 compatible generated files to support older distro versions. - Update to 8.0.32: - MysqlDataSource fails to URL encode database name when constructing JDBC URL. - serverSideStatementCache ignores resultSetType. - UpdatableResultSet does not properly handle unsigned primary key. - Connector/J 8 query with explain can not return ResultRow. - Add support to row alias on INSERT... ON DUPLICATE KEY UPDATE on batch mode. - connectionCollation ignored if characterEncoding is set. - Connector/J rejects UNION with CTE. - Malformed packet generation for `COM_STMT_EXECUTE`. - Connector/J client hangs after prepare & execute process with old version server. - Contribution: Fix name of relocation POM file. - Contribution: [PATCH] Remove superfluous use of boxing. - Contribution: Recognize 'ON DUPLICATE KEY UPDATE' in 'INSERT SET' Statement. - RPM and DEB builds broken after introducing javadoc for maven bundles. - Sonatype compliant POM and maven bundles. - Upgrade 3rd party libraries and tools. - Upgrade Protocol Buffers dependency to protobuf-java-3.21.9. - As Oracle renamed the package to 'mysql-connector-j', we are 'providing' both names for now, but the package has to be renamed to accommodate the change because the old name will be deprecated at some point in the future without further notice. - Update to 8.0.31: Functionality Added or Changed * Important Change: To comply with proper naming guidelines, the Maven groupId and artifactId for Connector/J have been changed to the following starting with this release: groupId: com.mysql artifactId: mysql-connector-j * The old groupId and artifactId can still be used for linking the Connector/J library, but they will point to a Maven relocation POM, redirecting users to the new coordinates. Please switch to the new coordinates as soon as possible, as the old coordinates could be discontinued anytime without notice. See Installing Connector/J Using Maven. * Also, to go with these changes, the .jar library for Connector/J has been renamed to mysql-connector-j-x.y.z for all channels of distribution by Oracle, not just the Maven repository. * Before release 8.0.29, Connector/J always interpolated byte arrays as hexadecimal literals when obtaining a prepared statement's string representation by the toString() method. Since 8.0.29, all byte array values were displayed as ** BYTE ARRAY DATA ** when converted to strings. The same is also true for null values. * To allow different ways to display byte array data and null values, a new connection property, maxByteArrayAsHex, has been introduced: byte arrays shorter than the value of maxByteArrayAsHex are now shown as hexadecimal literals like before release 8.0.29. Any byte arrays longer than this value are interpolated generically as ** BYTE ARRAY DATA **. Bugs Fixed * X DevAPI: When parsing a string into a JSON string, some escape character sequences were not parsed properly, causing the Server to throw a com.mysql.cj.exceptions.WrongArgumentException when receiving the JSON value. This fix ensures that escape sequences are handled properly. * X DevAPI: When using the modify() method on JSON documents, any backslashes inside a literal to be used for the modification were lost. This fix corrects the mistakes in the expression parser that caused the issue. * Executing a PreparedStatment after applying setFetchSize(0) on it caused an ArrayIndexOutOfBoundsException. * Due to some old limitations, when used with Java applets, Connector/J found out the default character set on a system by various workarounds like reading the system property file.encoding, using an OutpuStreamWriter, etc. With this fix, Connector/J now uses Charset.defaultCharset(), the standard method for the purpose. - Update to 8.0.30: Functionality Added or Changed * X DevAPI: For document-modifying methods that are chained after modify() and take a document path expression as one of its arguments (that is, set(), unset(), arrayInsert(), arrayAppend()), Connector/J now throws an error when the document path is empty or is a null string. Bugs Fixed * Historically, MySQL Server has used utf8 as an alias for utf8mb3. Since release 8.0.29, utf8mb3 has become a recognized (though deprecated) character set on its own for MySQL Server and to make things consistent, in release 8.0.30, any collations prefixed with utf8_ are now prefixed with utf8mb3_ instead. To go with that change, Connector/J has updated its character set and collation mapping accordingly in this release, and users are encouraged to update to Connector/J 8.0.30 to avoid potential issues when working with MySQL Server 8.0.30 or later. * A few links in the CONTRIBUTING.md file in the distribution packages were broken. They have now been fixed or removed. * The description for the connection property rewriteBatchedStatements has been corrected, removing the limitation that server-sided prepared statements could not take advantage of the rewrite option. * A spelling error has been fixed in the source file for the PropertyDefinitions class. Thanks to Weijie Wu for contributing the fix. * DatabaseMetaData.getTypeInfo always returned false for AUTO_INCREMENT for all data types. With this fix, Connector/J returns the correct value for each data type. Also, the missing types DOUBLE UNSIGNED and DOUBLE PRECISION UNSIGNED have been added to the ResultSet. * Contrary to the the MySQL requirement for comments, Connector/J did not require a whitespace (or a control character such as a newline) after '--' to mark the beginning of a comment within a SQL statement. This fix aligns Connector/J with the MySQL requirement.
Patchnames
SUSE-2023-2241,openSUSE-SLE-15.4-2023-2241
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).


To clipboard 

{
   document: {
      aggregate_severity: {
         namespace: "https://www.suse.com/support/security/rating/",
         text: "moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright 2024 SUSE LLC. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Security update for mysql-connector-java",
            title: "Title of the patch",
         },
         {
            category: "description",
            text: "This update for mysql-connector-java fixes the following issues:\n\n- CVE-2023-21971: Fixed a crash in MySQL Connectors that could be\n  triggered by an authenticated remote user (bsc#1211247).\n\n- Ship protobuf 3.9.2 compatible generated files to support \n  older distro versions.\n\n- Update to 8.0.32:\n\n  - MysqlDataSource fails to URL encode database name when constructing JDBC URL.\n  - serverSideStatementCache ignores resultSetType.\n  - UpdatableResultSet does not properly handle unsigned primary key.\n  - Connector/J 8 query with explain can not return ResultRow.\n  - Add support to row alias on INSERT... ON DUPLICATE KEY UPDATE on batch mode.\n  - connectionCollation ignored if characterEncoding is set.\n  - Connector/J rejects UNION with CTE.\n  - Malformed packet generation for `COM_STMT_EXECUTE`.\n  - Connector/J client hangs after prepare & execute process with old version server.\n  - Contribution: Fix name of relocation POM file.\n  - Contribution: [PATCH] Remove superfluous use of boxing.\n  - Contribution: Recognize 'ON DUPLICATE KEY UPDATE' in 'INSERT SET' Statement.\n  - RPM and DEB builds broken after introducing javadoc for maven bundles.\n  - Sonatype compliant POM and maven bundles.\n  - Upgrade 3rd party libraries and tools.\n  - Upgrade Protocol Buffers dependency to protobuf-java-3.21.9.\n\n- As Oracle renamed the package to 'mysql-connector-j', we are\n  'providing' both names for now, but the package has to be renamed\n  to accommodate the change because the old name will be deprecated\n  at some point in the future without further notice.\n\n- Update to 8.0.31:\n\n  Functionality Added or Changed\n\n    * Important Change: To comply with proper naming guidelines, the\n      Maven groupId and artifactId for Connector/J have been changed\n      to the following starting with this release:\n        groupId: com.mysql\n        artifactId: mysql-connector-j\n    * The old groupId and artifactId can still be used for linking \n      the Connector/J library, but they will point to a Maven \n      relocation POM, redirecting users to the new coordinates. \n      Please switch to the new coordinates as soon as possible, as \n      the old coordinates could be discontinued anytime without \n      notice. See Installing Connector/J Using Maven.\n    * Also, to go with these changes, the .jar library for \n      Connector/J has been renamed to mysql-connector-j-x.y.z for \n      all channels of distribution by Oracle, not just the Maven \n      repository.\n    * Before release 8.0.29, Connector/J always interpolated byte\n      arrays as hexadecimal literals when obtaining a prepared \n      statement's string representation by the toString() method. \n      Since 8.0.29, all byte array values were displayed as \n      ** BYTE ARRAY DATA ** when converted to strings. The same is \n      also true for null values.\n    * To allow different ways to display byte array data and null \n      values, a new connection property, maxByteArrayAsHex, has been\n      introduced: byte arrays shorter than the value of \n      maxByteArrayAsHex are now shown as hexadecimal literals like\n      before release 8.0.29. Any byte arrays longer than this value\n      are interpolated generically as ** BYTE ARRAY DATA **.\n\n  Bugs Fixed\n\n    * X DevAPI: When parsing a string into a JSON string, some \n      escape character sequences were not parsed properly, causing \n      the Server to throw a com.mysql.cj.exceptions.WrongArgumentException \n      when receiving the JSON value. This fix ensures that escape \n      sequences are handled properly.\n    * X DevAPI: When using the modify() method on JSON documents, \n      any backslashes inside a literal to be used for the modification \n      were lost. This fix corrects the mistakes in the expression \n      parser that caused the issue.\n    * Executing a PreparedStatment after applying setFetchSize(0) on\n      it caused an ArrayIndexOutOfBoundsException.\n    * Due to some old limitations, when used with Java applets, \n      Connector/J found out the default character set on a system by\n      various workarounds like reading the system property \n      file.encoding, using an OutpuStreamWriter, etc. With this fix,\n      Connector/J now uses Charset.defaultCharset(), the standard\n      method for the purpose.\n\n- Update to 8.0.30:\n\n  Functionality Added or Changed\n\n    * X DevAPI: For document-modifying methods that are chained \n      after modify() and take a document path expression as one of\n      its arguments (that is, set(), unset(), arrayInsert(),\n      arrayAppend()), Connector/J now throws an error when the\n      document path is empty or is a null string.\n\n  Bugs Fixed\n\n    * Historically, MySQL Server has used utf8 as an alias for \n      utf8mb3. Since release 8.0.29, utf8mb3 has become a recognized\n      (though deprecated) character set on its own for MySQL Server\n      and to make things consistent, in release 8.0.30, any \n      collations prefixed with utf8_ are now prefixed with utf8mb3_ \n      instead. To go with that change, Connector/J has updated its\n      character set and collation mapping accordingly in this\n      release, and users are encouraged to update to Connector/J \n      8.0.30 to avoid potential issues when working with MySQL \n      Server 8.0.30 or later.\n    * A few links in the CONTRIBUTING.md file in the distribution\n      packages were broken. They have now been fixed or removed.\n    * The description for the connection property\n      rewriteBatchedStatements has been corrected, removing the\n      limitation that server-sided prepared statements could not\n      take advantage of the rewrite option.\n    * A spelling error has been fixed in the source file for the\n      PropertyDefinitions class. Thanks to Weijie Wu for \n      contributing the fix.\n    * DatabaseMetaData.getTypeInfo always returned false for\n      AUTO_INCREMENT for all data types. With this fix, Connector/J\n      returns the correct value for each data type. Also, the\n      missing types DOUBLE UNSIGNED and DOUBLE PRECISION UNSIGNED\n      have been added to the ResultSet.\n    * Contrary to the the MySQL requirement for comments, \n      Connector/J did not require a whitespace (or a control\n      character such as a newline) after '--' to mark the beginning\n      of a comment within a SQL statement. This fix aligns\n      Connector/J with the MySQL requirement.  \n",
            title: "Description of the patch",
         },
         {
            category: "details",
            text: "SUSE-2023-2241,openSUSE-SLE-15.4-2023-2241",
            title: "Patchnames",
         },
         {
            category: "legal_disclaimer",
            text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
            title: "Terms of use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://www.suse.com/support/security/contact/",
         name: "SUSE Product Security Team",
         namespace: "https://www.suse.com/",
      },
      references: [
         {
            category: "external",
            summary: "SUSE ratings",
            url: "https://www.suse.com/support/security/rating/",
         },
         {
            category: "self",
            summary: "URL of this CSAF notice",
            url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_2241-1.json",
         },
         {
            category: "self",
            summary: "URL for SUSE-SU-2023:2241-1",
            url: "https://www.suse.com/support/update/announcement/2023/suse-su-20232241-1/",
         },
         {
            category: "self",
            summary: "E-Mail link for SUSE-SU-2023:2241-1",
            url: "https://lists.suse.com/pipermail/sle-updates/2023-May/029450.html",
         },
         {
            category: "self",
            summary: "SUSE Bug 1211247",
            url: "https://bugzilla.suse.com/1211247",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2023-21971 page",
            url: "https://www.suse.com/security/cve/CVE-2023-21971/",
         },
      ],
      title: "Security update for mysql-connector-java",
      tracking: {
         current_release_date: "2023-05-18T07:52:05Z",
         generator: {
            date: "2023-05-18T07:52:05Z",
            engine: {
               name: "cve-database.git:bin/generate-csaf.pl",
               version: "1",
            },
         },
         id: "SUSE-SU-2023:2241-1",
         initial_release_date: "2023-05-18T07:52:05Z",
         revision_history: [
            {
               date: "2023-05-18T07:52:05Z",
               number: "1",
               summary: "Current version",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "mysql-connector-java-8.0.32-150200.3.15.1.noarch",
                        product: {
                           name: "mysql-connector-java-8.0.32-150200.3.15.1.noarch",
                           product_id: "mysql-connector-java-8.0.32-150200.3.15.1.noarch",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "noarch",
               },
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "openSUSE Leap 15.4",
                        product: {
                           name: "openSUSE Leap 15.4",
                           product_id: "openSUSE Leap 15.4",
                           product_identification_helper: {
                              cpe: "cpe:/o:opensuse:leap:15.4",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "SUSE Linux Enterprise",
               },
            ],
            category: "vendor",
            name: "SUSE",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "mysql-connector-java-8.0.32-150200.3.15.1.noarch as component of openSUSE Leap 15.4",
               product_id: "openSUSE Leap 15.4:mysql-connector-java-8.0.32-150200.3.15.1.noarch",
            },
            product_reference: "mysql-connector-java-8.0.32-150200.3.15.1.noarch",
            relates_to_product_reference: "openSUSE Leap 15.4",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2023-21971",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2023-21971",
            },
         ],
         notes: [
            {
               category: "general",
               text: "Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).  Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors as well as  unauthorized update, insert or delete access to some of MySQL Connectors accessible data and  unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H).",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "openSUSE Leap 15.4:mysql-connector-java-8.0.32-150200.3.15.1.noarch",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2023-21971",
               url: "https://www.suse.com/security/cve/CVE-2023-21971",
            },
            {
               category: "external",
               summary: "SUSE Bug 1211247 for CVE-2023-21971",
               url: "https://bugzilla.suse.com/1211247",
            },
            {
               category: "external",
               summary: "SUSE Bug 1212040 for CVE-2023-21971",
               url: "https://bugzilla.suse.com/1212040",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "openSUSE Leap 15.4:mysql-connector-java-8.0.32-150200.3.15.1.noarch",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H",
                  version: "3.1",
               },
               products: [
                  "openSUSE Leap 15.4:mysql-connector-java-8.0.32-150200.3.15.1.noarch",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2023-05-18T07:52:05Z",
               details: "moderate",
            },
         ],
         title: "CVE-2023-21971",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.