Vulnerabilities > CVE-2015-2575 - Remote Security vulnerability in Oracle MySQL Connectors
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
NONE Summary
Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3621.NASL description A vulnerability was discovered in mysql-connector-java, a Java database (JDBC) driver for MySQL, which may result in unauthorized update, insert or delete access to some MySQL Connectors accessible data as well as read access to a subset of MySQL Connectors accessible data. The vulnerability was addressed by upgrading mysql-connector-java to the new upstream version 5.1.39, which includes additional changes, such as bug fixes, new features, and possibly incompatible changes. Please see the MySQL Connector/J Release Notes and Oracle last seen 2020-06-01 modified 2020-06-02 plugin id 92381 published 2016-07-19 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92381 title Debian DSA-3621-1 : mysql-connector-java - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3621. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(92381); script_version("2.5"); script_cvs_date("Date: 2018/11/13 12:30:46"); script_cve_id("CVE-2015-2575"); script_xref(name:"DSA", value:"3621"); script_name(english:"Debian DSA-3621-1 : mysql-connector-java - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered in mysql-connector-java, a Java database (JDBC) driver for MySQL, which may result in unauthorized update, insert or delete access to some MySQL Connectors accessible data as well as read access to a subset of MySQL Connectors accessible data. The vulnerability was addressed by upgrading mysql-connector-java to the new upstream version 5.1.39, which includes additional changes, such as bug fixes, new features, and possibly incompatible changes. Please see the MySQL Connector/J Release Notes and Oracle's Critical Patch Update advisory for further details : - https://dev.mysql.com/doc/relnotes/connector-j/5.1/en/ne ws-5-1.html - http://www.oracle.com/technetwork/topics/security/cpuapr 2015-2365600.html#AppendixMSQL" ); script_set_attribute( attribute:"see_also", value:"https://dev.mysql.com/doc/relnotes/connector-j/5.1/en/news-5-1.html" ); # https://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?915d056a" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/mysql-connector-java" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2016/dsa-3621" ); script_set_attribute( attribute:"solution", value: "Upgrade the mysql-connector-java packages. For the stable distribution (jessie), this problem has been fixed in version 5.1.39-1~deb8u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mysql-connector-java"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"8.0", prefix:"libmysql-java", reference:"5.1.39-1~deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1082.NASL description mysql-connector-java was updated to 5.1.35, fixing multiple bugs and a security issues. - CVE-2015-2575: Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J. (bnc#927981) Please see http://dev.mysql.com/doc/relnotes/connector-j/en/news-5-1.html This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-09-15 plugin id 93500 published 2016-09-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93500 title openSUSE Security Update : mysql-connector-java (openSUSE-2016-1082) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-526.NASL description A vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J) has been discovered that may result in unauthorized update, insert or delete access to some MySQL Connectors accessible data as well as read access to a subset of MySQL Connectors. The issue is addressed by updating to the latest stable release of mysql-connector-java since Oracle did not release further information. Please see Oracle last seen 2020-03-17 modified 2016-06-27 plugin id 91832 published 2016-06-27 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91832 title Debian DLA-526-1 : mysql-connector-java security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-389.NASL description mysql-connector-java was updated to 5.1.35 to fix one security issue and a number of bugs. The following vulnerability was fixed : - CVE-2015-2575: Difficult to exploit vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some MySQL Connectors accessible data as well as read access to a subset of MySQL Connectors accessible data. In addition, mysql-connector-java was updated to 5.1.35 to fix a number of upstream bugs, details of which listed in CHANGES as well as http://dev.mysql.com/doc/relnotes/connector-j/en/news-5-1.html last seen 2020-06-05 modified 2015-06-01 plugin id 83914 published 2015-06-01 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83914 title openSUSE Security Update : mysql-connector-java (openSUSE-2015-389)
References
- http://lists.opensuse.org/opensuse-security-announce/2015-05/msg00026.html
- http://lists.opensuse.org/opensuse-updates/2015-05/msg00089.html
- http://www.debian.org/security/2016/dsa-3621
- http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
- http://www.securityfocus.com/bid/74075
- http://www.securitytracker.com/id/1032121
- https://security.netapp.com/advisory/ntap-20150417-0003/