Introduction:
A new vulnerability, CVE-2023-21971, has been discovered in the MySQL Connectors product of Oracle MySQL (Connector/J). This vulnerability affects supported versions 8..32 and prior. With a CVSS 3.1 Base Score of 5.3, this vulnerability has the potential to impact confidentiality, integrity, and availability.
Exploit Details
This vulnerability may allow a highly privileged attacker with network access via multiple protocols to compromise MySQL Connectors. It is important to note that successful attacks require human interaction from a person other than the attacker. The vulnerability's exploitation can lead to unauthorized ability to cause a hang or frequently repeatable crash, also known as a complete Denial of Service (DoS) of MySQL Connectors. In addition, unauthorized update, insert, or delete access to some of MySQL Connectors' accessible data, as well as unauthorized read access to a subset of MySQL Connectors' accessible data, is possible.
CVSS Vector
The CVSS Vector for this vulnerability is as follows: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H
Code Snippet
Though specific exploit code cannot be provided for security reasons, it is crucial that affected users review the Original Advisory from Oracle and follow the recommended steps to secure their systems.
Mitigation
To guard against this vulnerability, administrators are advised to update their installations to the latest supported version, MySQL Connector/J 8..33 or later. Refer to the Oracle Critical Patch Update Advisory for further information on securing your systems.
For those using the affected versions (8..32 and prior), it is strongly recommended to restrict network access, apply the appropriate patches, and consider implementing the Principle of Least Privilege in managing user access to the system.
Conclusion
CVE-2023-21971 highlights the importance of staying up-to-date with software versions and continually monitoring for emerging threats. By updating to the latest MySQL Connectors supported version and following the advice provided by Oracle, you can help minimize the risk posed by this vulnerability and protect your organization's data and systems. Stay informed and stay secure.
Timeline
Published on: 04/18/2023 20:15:00 UTC
Last modified on: 04/27/2023 15:15:00 UTC