The issue existed in the java.sql.DriverManager.getConnection()
method when used with untrusted inputs. The connection property propertiesTransform
can be abused to load and execute arbitrary classes. The following example illustrates the vulnerability:
conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" + "user=test&password=test&propertiesTransform=com.example.MyArbitraryClass");
In this example, the static initializer of com.example.MyArbitraryClass
will be executed even if the class does not implement the ConnectionPropertiesTransform interface.
Impact
The discovered vulnerability allows attackers to compromise MySQL connectors. Successful attacks of this vulnerability can result in the following:
Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.
Unauthorized update, insert or delete access to some of MySQL Connectors' accessible data.
Unauthorized read access to a subset of MySQL Connectors accessible data.
Arbitrary code execution.
Patches
1.1.13+ (https://github.com/awslabs/aws-mysql-jdbc/releases/tag/1.1.13)
Workarounds
No. Please upgrade the driver to 1.1.13+.
References
https://nvd.nist.gov/vuln/detail/CVE-2023-21971
The issue existed in the
java.sql.DriverManager.getConnection()
method when used with untrusted inputs. The connection propertypropertiesTransform
can be abused to load and execute arbitrary classes. The following example illustrates the vulnerability:conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" + "user=test&password=test&propertiesTransform=com.example.MyArbitraryClass");
In this example, the static initializer of
com.example.MyArbitraryClass
will be executed even if the class does not implement the ConnectionPropertiesTransform interface.Impact
The discovered vulnerability allows attackers to compromise MySQL connectors. Successful attacks of this vulnerability can result in the following:
Patches
1.1.13+ (https://github.com/awslabs/aws-mysql-jdbc/releases/tag/1.1.13)
Workarounds
No. Please upgrade the driver to 1.1.13+.
References
https://nvd.nist.gov/vuln/detail/CVE-2023-21971