Vulnerabilities > CVE-2017-3589 - Unspecified vulnerability in Oracle Connector/J 5.1.40/5.1.41
Summary
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 2 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-945.NASL description Several issues were discovered in mysql-connector-java that allow attackers to execute arbitrary code, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of the data. For Debian 7 last seen 2020-03-17 modified 2017-05-17 plugin id 100227 published 2017-05-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100227 title Debian DLA-945-1 : mysql-connector-java security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-945-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(100227); script_version("3.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2017-3523", "CVE-2017-3586", "CVE-2017-3589"); script_name(english:"Debian DLA-945-1 : mysql-connector-java security update"); script_summary(english:"Checks dpkg output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several issues were discovered in mysql-connector-java that allow attackers to execute arbitrary code, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of the data. For Debian 7 'Wheezy', these problems have been fixed in version 5.1.42-1~deb7u1. We recommend that you upgrade your mysql-connector-java packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2017/05/msg00016.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/mysql-connector-java" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected libmysql-java package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libmysql-java"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2017/05/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"libmysql-java", reference:"5.1.42-1~deb7u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-248.NASL description This update for mysql-connector-java to version to 5.1.42 fixes several issues. These security issues were fixed : - CVE-2017-3589: An unspecified vulnerability in MySQL Connector/J could have resulted in unauthorized update, insert or delete access to some of MySQL Connectors accessible data (bnc#1035210) - CVE-2017-3523: An unspecified vulnerability in MySQL Connector/J could have lead to takeover of MySQL Connectors (bnc#1035697) - CVE-2017-3586: An unspecified vulnerability in MySQL Connectors could have lead to unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data (bnc#1035211) More infos are available at http://dev.mysql.com/doc/relnotes/connector-j/en/news-5-1.html This update was imported from the SUSE:SLE-12-SP1:Update update project. last seen 2020-06-05 modified 2018-03-13 plugin id 108270 published 2018-03-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108270 title openSUSE Security Update : mysql-connector-java (openSUSE-2018-248) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3857.NASL description Two vulnerabilities have been found in the MySQL Connector/J JDBC driver. last seen 2020-06-01 modified 2020-06-02 plugin id 100279 published 2017-05-19 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100279 title Debian DSA-3857-1 : mysql-connector-java - security update
References
- http://www.debian.org/security/2017/dsa-3857
- http://www.debian.org/security/2017/dsa-3857
- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
- http://www.securityfocus.com/bid/97836
- http://www.securityfocus.com/bid/97836
- http://www.securitytracker.com/id/1038287
- http://www.securitytracker.com/id/1038287