SB2018112829 - Fedora 27 update for mysql-connector-java
Published: November 28, 2018 Updated: April 24, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 vulnerabilities.
1) Remote code execution (CVE-ID: CVE-2017-3523)
CWE-ID: CWE-502 - Deserialization of Untrusted Data
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The weakness exists due to unexpected automatic deserialisation of Java objects. The remote attacker can execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
2) Improper access control (CVE-ID: CVE-2017-3586)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information and write arbitrary files on the target system.
The weakness exists due to improper access control. A remote attacker can gain unauthorized update, insert or delete access to some of MySQL Connectors accessible data and unauthorized read access to a subset of MySQL Connectors accessible data.
3) Improper access control (CVE-ID: CVE-2017-3589)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local authenticated attacker to write arbitrary files on the target system.
The weakness exists due to improper access control. A local attacker can gain unauthorized update, insert or delete access to some of MySQL Connectors accessible data.
4) Authentication bypass using an alternate path or channel (CVE-ID: CVE-2018-3258)
CWE-ID: CWE-288 - Authentication Bypass Using an Alternate Path or Channel
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
Remediation
Install update from vendor's website.