CVE-2017-3523

Impact:
Important
Public Date:
2017-04-21
CWE:
CWE-502
Bugzilla:
1444759: CVE-2017-3523 mysql-connector-java: Improper automatic deserialization of binary data (CPU Apr 2017)
It was discovered that the MySQL Connector/J client could deserialize certain database contents, regardless of the "autoDeserialize" option. If the client processes data received from an untrusted or compromised database server, a remote attacker could exploit this flaw to cause remote code execution.

Find out more about CVE-2017-3523 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the versions of mysql-connector-java as shipped with Red Hat Enterprise Linux 6 and 7.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 8.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Changed
Confidentiality High
Integrity Impact High
Availability Impact High

Affected Packages State

Platform Package State
Red Hat Single Sign-On 7 mysql-connector-java Not affected
Red Hat OpenShift Enterprise 2 mysql-connector-java Affected
Red Hat Mobile Application Platform On-Premise 4 mysql-connector-java Affected
Red Hat JBoss Portal Platform 6 mysql-connector-java Will not fix
Red Hat JBoss Fuse Service Works 6 mysql-connector-java Will not fix
Red Hat Enterprise Linux 7 mysql-connector-java Will not fix
Red Hat Enterprise Linux 6 mysql-connector-java Will not fix

External References

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.