We have found a new vulnerability in MySQL Connector/J (CVE-2023-21971). Oracle issued a critical path update that fixed the issue on April 18, 2023. The vulnerability was found as part of our collaboration with Google’s OSS-Fuzz. The issue existed in the In this example, the static initializer of The discovered vulnerability allows attackers to compromise MySQL connectors. Successful attacks of this vulnerability can result in the following: Supported versions that are affected are 8.0.32 and prior. Oracle issued a critical patch update that fixed this vulnerability on April 18, 2023. We strongly recommend that impacted users upgrade to the newer version that includes the fixes, i.e., 8.0.33. MySQL Connector/J is an Oracle JDBC driver that you can use to interact with MySQL databases from your Java applications. This vulnerability is an example of the security risks associated with software supply chains. As high-profile vulnerabilities like Log4Shell and Spring4Shell have shown, relying on libraries or components that contain security vulnerabilities can render the whole software system vulnerable. Over the past three years, there has been a 742% average annual increase in software supply chain attacks, emphasizing the need to address the security of software supply chain at the ecosystem level. We thank the maintainers for responding to the issue and providing a fix and new releases.Vulnerability Description
java.sql.DriverManager.getConnection() method when used with untrusted inputs. The connection property propertiesTransform can be abused to load and execute arbitrary classes. The following example illustrates the vulnerability:conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" + "user=test&password=test&propertiesTransform=com.example.MyArbitraryClass");com.example.MyArbitraryClass will be executed even if the class does not implement the ConnectionPropertiesTransform interface.
Supply Chain Attacks
References
Acknowledgments