| Summary: | mysql-connector-java new security issues CVE-2017-3523, CVE-2017-3586, and CVE-2017-3589 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | brtians1, geiger.david68210, herman.viaene, lewyssmith, mageia, marja11, sysadmin-bugs, zombie_ryushu |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO mga5-64-ok mga6-64-ok | ||
| Source RPM: | mysql-connector-java-5.1.41-1.mga6 | CVE: | |
| Status comment: | Fixed upstream in 5.1.42, sadly doesn't build out of the box | ||
|
Description
David Walser
2017-04-23 19:01:19 CEST
David Walser
2017-04-23 19:01:27 CEST
Whiteboard:
(none) =>
MGA5TOO Assinging to registered maintainer Assignee:
bugsquad =>
mageia Debian has issued an advisory for CVE-2017-3523 on May 2: https://www.debian.org/security/2017/dsa-3840 Package : mysql-connector-java CVE ID : CVE-2017-3586 CVE-2017-3589 Two vulnerabilities have been found in the MySQL Connector/J JDBC driver. For the stable distribution (jessie), these problems have been fixed in version 5.1.42-1~deb8u1. For the upcoming stable distribution (stretch), these problems have been fixed in version 5.1.42-1. For the unstable distribution (sid), these problems have been fixed in version 5.1.42-1. We recommend that you upgrade your mysql-connector-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found CC:
(none) =>
zombie_ryushu (In reply to David Walser from comment #2) > Debian has issued an advisory for CVE-2017-3523 on May 2: > https://www.debian.org/security/2017/dsa-3840 Debian advisory for the other two CVEs from May 18: https://www.debian.org/security/2017/dsa-3857 It looks like upgrading to 5.1.42 would fix all of these.
David Walser
2017-06-05 01:01:15 CEST
Status comment:
(none) =>
Fixed upstream in 5.1.42 Tried a local build of 5.1.42 but it fails:
-compile-driver-jdbc4:
[echo] Compiling MySQL Connector/J JDBC 4+ implementation with '/usr/lib/jvm/java' to 'build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT'
[javac] Compiling 41 source files to /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT
[javac] warning: [options] bootstrap class path not set in conjunction with -source 1.6
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/com/mysql/fabric/hibernate/FabricMultiTenantConnectionProvider.java:30: error: package org.hibernate.engine.jdbc.connections.spi does not exist
[javac] import org.hibernate.engine.jdbc.connections.spi.MultiTenantConnectionProvider;
[javac] ^
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/com/mysql/fabric/hibernate/FabricMultiTenantConnectionProvider.java:44: error: cannot find symbol
[javac] public class FabricMultiTenantConnectionProvider implements MultiTenantConnectionProvider {
[javac] ^
[javac] symbol: class MultiTenantConnectionProvider
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:30: error: package org.hibernate does not exist
[javac] import org.hibernate.Session;
[javac] ^
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:31: error: package org.hibernate does not exist
[javac] import org.hibernate.SessionFactory;
[javac] ^
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:32: error: package org.hibernate.cfg does not exist
[javac] import org.hibernate.cfg.Configuration;
[javac] ^
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:33: error: package org.hibernate.boot.registry does not exist
[javac] import org.hibernate.boot.registry.StandardServiceRegistryBuilder;
[javac] ^
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:105: error: cannot find symbol
[javac] public static SessionFactory createSessionFactory(String fabricUrl, String username, String password, String fabricUser, String fabricPassword)
[javac] ^
[javac] symbol: class SessionFactory
[javac] location: class HibernateFabric
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/com/mysql/fabric/jdbc/FabricMySQLConnectionProxy.java:87: error: FabricMySQLConnectionProxy is not abstract and does not override abstract method createStruct(String,Object[]) in Connection
[javac] public class FabricMySQLConnectionProxy extends ConnectionPropertiesImpl implements FabricMySQLConnection, FabricMySQLConnectionProperties {
[javac] ^
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:71: error: cannot find symbol
[javac] SessionFactory sf = createSessionFactory("http://" + hostname + ":" + port, user, password, fabricUsername, fabricPassword);
[javac] ^
[javac] symbol: class SessionFactory
[javac] location: class HibernateFabric
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:81: error: cannot find symbol
[javac] Session session = sf.withOptions().tenantIdentifier("" + j) // choose a db server
[javac] ^
[javac] symbol: class Session
[javac] location: class HibernateFabric
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:110: error: cannot find symbol
[javac] StandardServiceRegistryBuilder srb = new StandardServiceRegistryBuilder();
[javac] ^
[javac] symbol: class StandardServiceRegistryBuilder
[javac] location: class HibernateFabric
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:110: error: cannot find symbol
[javac] StandardServiceRegistryBuilder srb = new StandardServiceRegistryBuilder();
[javac] ^
[javac] symbol: class StandardServiceRegistryBuilder
[javac] location: class HibernateFabric
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:111: error: package org.hibernate.engine.jdbc.connections.spi does not exist
[javac] srb.addService(org.hibernate.engine.jdbc.connections.spi.MultiTenantConnectionProvider.class, connProvider);
[javac] ^
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:114: error: cannot find symbol
[javac] Configuration config = new Configuration();
[javac] ^
[javac] symbol: class Configuration
[javac] location: class HibernateFabric
[javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:114: error: cannot find symbol
[javac] Configuration config = new Configuration();
[javac] ^
[javac] symbol: class Configuration
[javac] location: class HibernateFabric
[javac] 15 errors
[javac] 1 warning
Missing dep, but is it just a missing BR or should we import a new hibernate-something package?
Rémi Verschelde
2017-07-04 22:44:23 CEST
Source RPM:
mysql-connector-java-5.1.35-2.mga6.src.rpm =>
mysql-connector-java-5.1.41-1.mga6
David Walser
2017-07-07 04:24:23 CEST
Whiteboard:
MGA5TOO =>
MGA6TOO, MGA5TOO So! fixed for mga5, mga6 and also Cauldron \o/ Thanks David! Advisory: ======================== Updated mysql-connector-java package fixes security vulnerabilities: Thijs Alkemade discovered that unexpected automatic deserialisation of Java objects in the MySQL Connector/J JDBC driver may result in the execution of arbitary code (CVE-2017-3523). Two vulnerabilities have been found in the MySQL Connector/J JDBC driver (CVE-2017-3586, CVE-2017-3589). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3523 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3586 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589 https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL https://www.debian.org/security/2017/dsa-3840 https://www.debian.org/security/2017/dsa-3857 ======================== Updated packages in core/updates_testing: ======================== mysql-connector-java-5.1.42-1.mga5 mysql-connector-java-5.1.42-1.mga6 from SRPMS: mysql-connector-java-5.1.42-1.mga5.src.rpm mysql-connector-java-5.1.42-1.mga6.src.rpm Whiteboard:
MGA6TOO, MGA5TOO =>
MGA5TOO Pointer ------ The only previous bug on this is: https://bugs.mageia.org/show_bug.cgi?id=16070 but the attchement https://bugs.mageia.org/attachment.cgi?id=6809 + related comments 8 9 10 look good for testing this update. For which thanks to Brian. CC:
(none) =>
lewyssmith Can be due to my ignorance, but at CLI
[tester5@mach5 Downloads]$ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java
warning: [options] bootstrap class path not set in conjunction with -source 1.7
1 warning
[tester5@mach5 Downloads]$ java Mariadb_Connect
java.lang.ClassNotFoundException: com.mysql.jdbc.Driver
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at Mariadb_Connect.main(Mariadb_Connect.java:15)
Exception: com.mysql.jdbc.DriverCC:
(none) =>
herman.viaene Trying M5/64 Added Brian to the CC list for his help if possible. Refering to bug 16070, downloaded the attachment Mariadb_Connect.java In /etc/my.cnf, commented out 'skip-networking'. From the old bug comments 9 & 10, I tried (from the same directory): c10, new compile? $ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java bash: javac: command not found Installed pkg 'javacc'. To get something to happen, I needed: $ javacc.sh -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java Java Compiler Compiler Version 5.0 (Parser Generator) (type "javacc" with no arguments for help) Warning: Bad option "-cp" will be ignored. Argument "/usr/share/java/mysql-connector-java.jar:." must be an option setting. c9, to run? $ java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect Error: Could not find or load main class Mariadb_Connect c9, old compile, obsolete? $ java -cp /usr/share/java/mysql-connector-java.jar:. Mariadb_Connect Error: Could not find or load main class Mariadb_Connect Am unsure what these commands are really meant to do; and whether running them without errors suffices to drive the 'mysql-connector-java' package. CC:
(none) =>
brtians1 $ uname -a
Linux localhost 4.4.88-desktop-1.mga5 #1 SMP Thu Sep 14 00:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Ok - ran mysql-connector-5.1.35 and it worked in MGA5
$ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java
warning: [options] bootstrap class path not set in conjunction with -source 1.7
1 warning
[brian@localhost java]$ ls -ltr
total 3212
-rw------- 1 brian brian 165085 Mar 21 2009 getstartderby.pdf
-rw------- 1 brian brian 1592484 Mar 21 2009 refderby.pdf
-rw------- 1 brian brian 819598 Mar 21 2009 derbydev.pdf
drwxrwxr-x 9 brian brian 4096 Feb 3 2010 docs/
drwxrwxr-x 5 brian brian 4096 Feb 19 2011 weather/
drwxrwxr-x 5 brian brian 4096 Feb 19 2011 FunApp1/
drwxrwxr-x 7 brian brian 4096 Oct 15 2011 Reminder/
-rw------- 1 brian brian 365162 Nov 3 2012 derbyadmin.pdf
-rw------- 1 brian brian 278214 Nov 3 2012 derbytools.pdf
drwxrwxr-x 8 brian brian 4096 Nov 3 2012 derby_10910/
drwxrwxr-x 4 brian brian 4096 Nov 3 2012 derbytutor/
drwxrwxr-x 11 brian brian 12288 May 29 2016 jcode/
-rw-rw-r-- 1 brian brian 937 Jun 18 20:46 helloworld.java
-rw-r--r-- 1 brian brian 858 Jun 18 20:47 helloworld$1.class
-rw-r--r-- 1 brian brian 1114 Jun 18 20:47 helloworld.class
-rw-rw-r-- 1 brian brian 3342 Oct 19 12:59 Mariadb_Connect.java
-rw-r--r-- 1 brian brian 3314 Oct 19 13:00 Mariadb_Connect.class
[brian@localhost java]$ java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect
Successfully connected to MySQL server using TCP/IP...
Database test checked
Changed to test database
Table books created
Rows insertered into books table
---------------------------------
Now listing the titles from books
---------------------------------
1 The Fellowship of the Ring
2 The Two Towers
3 The Return of the King
4 The Sum of All Men
5 Brotherhood of the Wolf
6 Wizardborn
7 The Hobbbit
---------------------------------
dropped the books table
Close the database connection
[brian@localhost java]$
Removed 5.1.35 and re-ran
$ java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect
java.lang.ClassNotFoundException: com.mysql.jdbc.Driver
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
at java.lang.Class.forName0(Native Method)
at java.lang.Class.forName(Class.java:264)
at Mariadb_Connect.main(Mariadb_Connect.java:14)
Exception: com.mysql.jdbc.Driver
[brian@localhost java]$
Installed 5.1.42.1
$ java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect
Successfully connected to MySQL server using TCP/IP...
Database test checked
Changed to test database
Table books created
Rows insertered into books table
---------------------------------
Now listing the titles from books
---------------------------------
1 The Fellowship of the Ring
2 The Two Towers
3 The Return of the King
4 The Sum of All Men
5 Brotherhood of the Wolf
6 Wizardborn
7 The Hobbbit
---------------------------------
dropped the books table
Close the database connection
[brian@localhost java]$
Working as designed. Lewis - I think you were missing the javac application.Whiteboard:
MGA5TOO =>
MGA5TOO mga5-64-ok mga6-64 I have to say I banged my head around on this one. Finally got it working. Don't forget to update /etc/my.cnf and comment out skip-networking with a # symbol, then restart the server. Part of the challenge is to remember to install the java-1.8.0-openjdk-devel to get the javac compiler [brian@localhost Documents]$ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java warning: [options] bootstrap class path not set in conjunction with -source 1.7 1 warning [brian@localhost Documents]$ java -cp /usr/share/java/mysql-connector-java.jar:. Mariadb_Connect Trying to Connect to the database Successfully connected to MySQL server using TCP/IP... Database test checked Changed to test database Table books created Rows insertered into books table --------------------------------- Now listing the titles from books --------------------------------- 1 The Fellowship of the Ring 2 The Two Towers 3 The Return of the King 4 The Sum of All Men 5 Brotherhood of the Wolf 6 Wizardborn 7 The Hobbbit --------------------------------- dropped the books table Close the database connection [brian@localhost Documents]$ uname -a Linux localhost 4.9.50-desktop-1.mga6 #1 SMP Wed Sep 13 23:14:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux [brian@localhost Documents]$ Whiteboard:
MGA5TOO mga5-64-ok =>
MGA5TOO mga5-64-ok mga6-64-ok Advisoried. Validating as it has 2 expert 64-bit OKs. Many thanks to Brian for coming to the rescue. Keywords:
(none) =>
advisory, validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0382.html Resolution:
(none) =>
FIXED |