Bug 20731 - mysql-connector-java new security issues CVE-2017-3523, CVE-2017-3586, and CVE-2017-3589
Summary: mysql-connector-java new security issues CVE-2017-3523, CVE-2017-3586, and CV...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5TOO mga5-64-ok mga6-64-ok
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-04-23 19:01 CEST by David Walser
Modified: 2017-10-24 07:51 CEST (History)
8 users (show)

See Also:
Source RPM: mysql-connector-java-5.1.41-1.mga6
CVE:
Status comment: Fixed upstream in 5.1.42, sadly doesn't build out of the box


Attachments

Description David Walser 2017-04-23 19:01:19 CEST
The April 2017 Oracle CPU includes security issues in MySQL Connector Java:
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL

Versions 5.1.41 and earlier are affected, and that appears to be the current version, so I'm not sure if all of these issues have been fixed yet.

Mageia 5 is also affected.
David Walser 2017-04-23 19:01:27 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2017-04-24 10:16:07 CEST
Assinging to registered maintainer

Assignee: bugsquad => mageia
CC: (none) => geiger.david68210, marja11

Comment 2 David Walser 2017-05-03 12:19:37 CEST
Debian has issued an advisory for CVE-2017-3523 on May 2:
https://www.debian.org/security/2017/dsa-3840
Comment 3 Zombie Ryushu 2017-05-20 13:57:39 CEST
Package        : mysql-connector-java
CVE ID         : CVE-2017-3586 CVE-2017-3589

Two vulnerabilities have been found in the MySQL Connector/J JDBC driver.

For the stable distribution (jessie), these problems have been fixed in
version 5.1.42-1~deb8u1.

For the upcoming stable distribution (stretch), these problems have been
fixed in version 5.1.42-1.

For the unstable distribution (sid), these problems have been fixed in
version 5.1.42-1.

We recommend that you upgrade your mysql-connector-java packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found

CC: (none) => zombie_ryushu

Comment 4 David Walser 2017-05-20 22:25:13 CEST
(In reply to David Walser from comment #2)
> Debian has issued an advisory for CVE-2017-3523 on May 2:
> https://www.debian.org/security/2017/dsa-3840

Debian advisory for the other two CVEs from May 18:
https://www.debian.org/security/2017/dsa-3857
Comment 5 David Walser 2017-05-23 06:52:59 CEST
It looks like upgrading to 5.1.42 would fix all of these.
David Walser 2017-06-05 01:01:15 CEST

Status comment: (none) => Fixed upstream in 5.1.42

Comment 6 Rémi Verschelde 2017-07-04 22:08:02 CEST
Tried a local build of 5.1.42 but it fails:

-compile-driver-jdbc4:
     [echo] Compiling MySQL Connector/J JDBC 4+ implementation with '/usr/lib/jvm/java' to 'build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT'
    [javac] Compiling 41 source files to /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT
    [javac] warning: [options] bootstrap class path not set in conjunction with -source 1.6
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/com/mysql/fabric/hibernate/FabricMultiTenantConnectionProvider.java:30: error: package org.hibernate.engine.jdbc.connections.spi does not exist
    [javac] import org.hibernate.engine.jdbc.connections.spi.MultiTenantConnectionProvider;
    [javac]                                                 ^
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/com/mysql/fabric/hibernate/FabricMultiTenantConnectionProvider.java:44: error: cannot find symbol
    [javac] public class FabricMultiTenantConnectionProvider implements MultiTenantConnectionProvider {
    [javac]                                                             ^
    [javac]   symbol: class MultiTenantConnectionProvider
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:30: error: package org.hibernate does not exist
    [javac] import org.hibernate.Session;
    [javac]                     ^
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:31: error: package org.hibernate does not exist
    [javac] import org.hibernate.SessionFactory;
    [javac]                     ^
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:32: error: package org.hibernate.cfg does not exist
    [javac] import org.hibernate.cfg.Configuration;
    [javac]                         ^
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:33: error: package org.hibernate.boot.registry does not exist
    [javac] import org.hibernate.boot.registry.StandardServiceRegistryBuilder;
    [javac]                                   ^
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:105: error: cannot find symbol
    [javac]     public static SessionFactory createSessionFactory(String fabricUrl, String username, String password, String fabricUser, String fabricPassword)
    [javac]                   ^
    [javac]   symbol:   class SessionFactory
    [javac]   location: class HibernateFabric
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/com/mysql/fabric/jdbc/FabricMySQLConnectionProxy.java:87: error: FabricMySQLConnectionProxy is not abstract and does not override abstract method createStruct(String,Object[]) in Connection
    [javac] public class FabricMySQLConnectionProxy extends ConnectionPropertiesImpl implements FabricMySQLConnection, FabricMySQLConnectionProperties {
    [javac]        ^
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:71: error: cannot find symbol
    [javac]         SessionFactory sf = createSessionFactory("http://" + hostname + ":" + port, user, password, fabricUsername, fabricPassword);
    [javac]         ^
    [javac]   symbol:   class SessionFactory
    [javac]   location: class HibernateFabric
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:81: error: cannot find symbol
    [javac]             Session session = sf.withOptions().tenantIdentifier("" + j) // choose a db server
    [javac]             ^
    [javac]   symbol:   class Session
    [javac]   location: class HibernateFabric
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:110: error: cannot find symbol
    [javac]         StandardServiceRegistryBuilder srb = new StandardServiceRegistryBuilder();
    [javac]         ^
    [javac]   symbol:   class StandardServiceRegistryBuilder
    [javac]   location: class HibernateFabric
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:110: error: cannot find symbol
    [javac]         StandardServiceRegistryBuilder srb = new StandardServiceRegistryBuilder();
    [javac]                                                  ^
    [javac]   symbol:   class StandardServiceRegistryBuilder
    [javac]   location: class HibernateFabric
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:111: error: package org.hibernate.engine.jdbc.connections.spi does not exist
    [javac]         srb.addService(org.hibernate.engine.jdbc.connections.spi.MultiTenantConnectionProvider.class, connProvider);
    [javac]                                                                 ^
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:114: error: cannot find symbol
    [javac]         Configuration config = new Configuration();
    [javac]         ^
    [javac]   symbol:   class Configuration
    [javac]   location: class HibernateFabric
    [javac] /home/akien/Mageia/Checkout/mysql-connector-java/BUILD/mysql-connector-j-5.1.42/build-mysql-jdbc/mysql-connector-java-5.1.42-SNAPSHOT/demo/fabric/HibernateFabric.java:114: error: cannot find symbol
    [javac]         Configuration config = new Configuration();
    [javac]                                    ^
    [javac]   symbol:   class Configuration
    [javac]   location: class HibernateFabric
    [javac] 15 errors
    [javac] 1 warning


Missing dep, but is it just a missing BR or should we import a new hibernate-something package?
Rémi Verschelde 2017-07-04 22:44:23 CEST

Source RPM: mysql-connector-java-5.1.35-2.mga6.src.rpm => mysql-connector-java-5.1.41-1.mga6
Status comment: Fixed upstream in 5.1.42 => Fixed upstream in 5.1.42, sadly doesn't build out of the box

David Walser 2017-07-07 04:24:23 CEST

Whiteboard: MGA5TOO => MGA6TOO, MGA5TOO

Comment 7 David GEIGER 2017-10-07 21:02:47 CEST
So! fixed for mga5, mga6 and also Cauldron \o/
Comment 8 David Walser 2017-10-08 00:31:34 CEST
Thanks David!

Advisory:
========================

Updated mysql-connector-java package fixes security vulnerabilities:

Thijs Alkemade discovered that unexpected automatic deserialisation of Java
objects in the MySQL Connector/J JDBC driver may result in the execution of
arbitary code (CVE-2017-3523).

Two vulnerabilities have been found in the MySQL Connector/J JDBC driver
(CVE-2017-3586, CVE-2017-3589).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3523
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3586
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589
https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html#AppendixMSQL
https://www.debian.org/security/2017/dsa-3840
https://www.debian.org/security/2017/dsa-3857
========================

Updated packages in core/updates_testing:
========================
mysql-connector-java-5.1.42-1.mga5
mysql-connector-java-5.1.42-1.mga6

from SRPMS:
mysql-connector-java-5.1.42-1.mga5.src.rpm
mysql-connector-java-5.1.42-1.mga6.src.rpm

Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
CC: (none) => mageia
Version: Cauldron => 6
Assignee: mageia => qa-bugs

Comment 9 Lewis Smith 2017-10-09 20:07:26 CEST
Pointer
------
The only previous bug on this is:
 https://bugs.mageia.org/show_bug.cgi?id=16070
but the attchement https://bugs.mageia.org/attachment.cgi?id=6809
+ related comments 8 9 10 look good for testing this update.
For which thanks to Brian.

CC: (none) => lewyssmith

Comment 10 Herman Viaene 2017-10-17 23:42:58 CEST
Can be due to my ignorance, but at CLI

[tester5@mach5 Downloads]$ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java
warning: [options] bootstrap class path not set in conjunction with -source 1.7
1 warning                                                                                                                        
[tester5@mach5 Downloads]$ java Mariadb_Connect 
java.lang.ClassNotFoundException: com.mysql.jdbc.Driver                                                                          
        at java.net.URLClassLoader.findClass(URLClassLoader.java:381)                                                            
        at java.lang.ClassLoader.loadClass(ClassLoader.java:424)                                                                 
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
        at java.lang.Class.forName0(Native Method)
        at java.lang.Class.forName(Class.java:264)
        at Mariadb_Connect.main(Mariadb_Connect.java:15)
Exception: com.mysql.jdbc.Driver

CC: (none) => herman.viaene

Comment 11 Lewis Smith 2017-10-18 21:19:29 CEST
Trying M5/64

Added Brian to the CC list for his help if possible.
Refering to bug 16070, downloaded the attachment Mariadb_Connect.java
In /etc/my.cnf, commented out 'skip-networking'.
From the old bug comments 9 & 10, I tried (from the same directory):

c10, new compile?
 $ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java
 bash: javac: command not found

Installed pkg 'javacc'. To get something to happen, I needed:
 $ javacc.sh -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java
 Java Compiler Compiler Version 5.0 (Parser Generator)
(type "javacc" with no arguments for help)
 Warning: Bad option "-cp" will be ignored.
 Argument "/usr/share/java/mysql-connector-java.jar:." must be an option setting.

c9, to run?
 $ java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect
 Error: Could not find or load main class Mariadb_Connect

c9, old compile, obsolete?
 $ java -cp /usr/share/java/mysql-connector-java.jar:. Mariadb_Connect
 Error: Could not find or load main class Mariadb_Connect

Am unsure what these commands are really meant to do; and whether running them without errors suffices to drive the 'mysql-connector-java' package.

CC: (none) => brtians1

Comment 12 Brian Rockwell 2017-10-19 20:06:56 CEST
$ uname -a
Linux localhost 4.4.88-desktop-1.mga5 #1 SMP Thu Sep 14 00:03:58 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Ok - ran mysql-connector-5.1.35 and it worked in MGA5


$ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java
warning: [options] bootstrap class path not set in conjunction with -source 1.7
1 warning
[brian@localhost java]$ ls -ltr
total 3212
-rw-------  1 brian brian  165085 Mar 21  2009 getstartderby.pdf
-rw-------  1 brian brian 1592484 Mar 21  2009 refderby.pdf
-rw-------  1 brian brian  819598 Mar 21  2009 derbydev.pdf
drwxrwxr-x  9 brian brian    4096 Feb  3  2010 docs/
drwxrwxr-x  5 brian brian    4096 Feb 19  2011 weather/
drwxrwxr-x  5 brian brian    4096 Feb 19  2011 FunApp1/
drwxrwxr-x  7 brian brian    4096 Oct 15  2011 Reminder/
-rw-------  1 brian brian  365162 Nov  3  2012 derbyadmin.pdf
-rw-------  1 brian brian  278214 Nov  3  2012 derbytools.pdf
drwxrwxr-x  8 brian brian    4096 Nov  3  2012 derby_10910/
drwxrwxr-x  4 brian brian    4096 Nov  3  2012 derbytutor/
drwxrwxr-x 11 brian brian   12288 May 29  2016 jcode/
-rw-rw-r--  1 brian brian     937 Jun 18 20:46 helloworld.java
-rw-r--r--  1 brian brian     858 Jun 18 20:47 helloworld$1.class
-rw-r--r--  1 brian brian    1114 Jun 18 20:47 helloworld.class
-rw-rw-r--  1 brian brian    3342 Oct 19 12:59 Mariadb_Connect.java
-rw-r--r--  1 brian brian    3314 Oct 19 13:00 Mariadb_Connect.class
[brian@localhost java]$ java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect
Successfully connected to MySQL server using TCP/IP...
Database test checked
Changed to test database
Table books created
Rows insertered into books table
---------------------------------
Now listing the titles from books
---------------------------------
1 The Fellowship of the Ring
2 The Two Towers
3 The Return of the King
4 The Sum of All Men
5 Brotherhood of the Wolf
6 Wizardborn
7 The Hobbbit
---------------------------------

dropped the books table
Close the database connection
[brian@localhost java]$

Removed 5.1.35 and re-ran

$ java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect
java.lang.ClassNotFoundException: com.mysql.jdbc.Driver
        at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:335)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
        at java.lang.Class.forName0(Native Method)
        at java.lang.Class.forName(Class.java:264)
        at Mariadb_Connect.main(Mariadb_Connect.java:14)
Exception: com.mysql.jdbc.Driver
[brian@localhost java]$

Installed 5.1.42.1

$ java -cp .:/usr/share/java/mysql-connector-java.jar Mariadb_Connect
Successfully connected to MySQL server using TCP/IP...
Database test checked
Changed to test database
Table books created
Rows insertered into books table
---------------------------------
Now listing the titles from books
---------------------------------
1 The Fellowship of the Ring
2 The Two Towers
3 The Return of the King
4 The Sum of All Men
5 Brotherhood of the Wolf
6 Wizardborn
7 The Hobbbit
---------------------------------

dropped the books table
Close the database connection
[brian@localhost java]$

Working as designed.  Lewis - I think you were missing the javac application.

Whiteboard: MGA5TOO => MGA5TOO mga5-64-ok

Comment 13 Brian Rockwell 2017-10-20 00:09:42 CEST
mga6-64


I have to say I banged my head around on this one.  Finally got it working.  Don't forget to update /etc/my.cnf and comment out skip-networking with a # symbol, then restart the server. 

Part of the challenge is to remember to install the java-1.8.0-openjdk-devel to get the javac compiler

[brian@localhost Documents]$ javac -cp /usr/share/java/mysql-connector-java.jar:. -source 7 -target 7 Mariadb_Connect.java
warning: [options] bootstrap class path not set in conjunction with -source 1.7
1 warning
[brian@localhost Documents]$ java -cp /usr/share/java/mysql-connector-java.jar:. Mariadb_Connect
Trying to Connect to the database
Successfully connected to MySQL server using TCP/IP...
Database test checked
Changed to test database
Table books created
Rows insertered into books table
---------------------------------
Now listing the titles from books
---------------------------------
1 The Fellowship of the Ring
2 The Two Towers
3 The Return of the King
4 The Sum of All Men
5 Brotherhood of the Wolf
6 Wizardborn
7 The Hobbbit
---------------------------------

dropped the books table
Close the database connection
[brian@localhost Documents]$ uname -a
Linux localhost 4.9.50-desktop-1.mga6 #1 SMP Wed Sep 13 23:14:20 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[brian@localhost Documents]$

Whiteboard: MGA5TOO mga5-64-ok => MGA5TOO mga5-64-ok mga6-64-ok

Comment 14 Lewis Smith 2017-10-23 11:16:54 CEST
Advisoried. Validating as it has 2 expert 64-bit OKs.
Many thanks to Brian for coming to the rescue.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 15 Mageia Robot 2017-10-24 07:51:45 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0382.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.