Bug 927981 – VUL-1: CVE-2015-2575: mysql-connector-java: Oracle Critical Patch Update April 2015

Bug 927981 - (CVE-2015-2575) VUL-1: CVE-2015-2575: mysql-connector-java: Oracle Critical Patch Update April 2015

(CVE-2015-2575)
Summary:	VUL-1: CVE-2015-2575: mysql-connector-java: Oracle Critical Patch Update Apri...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Tomáš Chvátal
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2015-04-21 11:13 UTC by Andreas Stieger
Modified:	2017-01-10 17:25 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2015-04-21 11:13:23 UTC

Split from bug 927623 for mysql-connector-java only.

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html#AppendixMSQL
http://www.oracle.com/technetwork/topics/security/cpuapr2015verbose-2365613.html#MSQL

   +--------------------------------------------------------------+
   | CVE Identifier |                 Description                 |
   |----------------+---------------------------------------------|
   |                | Vulnerability in the MySQL Connectors       |
   |                | component of Oracle MySQL (subcomponent:    |
   |                | Connector/J). Supported versions that are   |
   |                | affected are 5.1.34 and earlier. Difficult  |
   |                | to exploit vulnerability allows successful  |
   |                | authenticated network attacks via multiple  |
   |                | protocols. Successful attack of this        |
   |                | vulnerability can result in unauthorized    |
   | CVE-2015-2575  | update, insert or delete access to some     |
   |                | MySQL Connectors accessible data as well as |
   |                | read access to a subset of MySQL Connectors |
   |                | accessible data.                            |
   |                |                                             |
   |                | CVSS Base Score 4.9 (Confidentiality and    |
   |                | Integrity impacts). CVSS V2 Vector:         |
   |                | (AV:N/AC:M/Au:S/C:P/I:P/A:N). (legend)      |
   |                | [Advisory]                                  |
   |----------------+---------------------------------------------|

Comment 1 Swamp Workflow Management 2015-04-21 14:20:50 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-05-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61581

Comment 2 Tomáš Chvátal 2015-04-21 14:50:55 UTC

SLE11 should be done too?

SUSE:SLE-11:GA                   mysql-connector-java  5.1.6   1    2f7c5c82962298c3ff3922e999eb428f


Also note that I can't do patch, so only version bump is possible.

Comment 5 Andreas Stieger 2015-04-21 15:45:21 UTC

(In reply to Tomas Chvatal from comment #2)
> SLE11 should be done too?
> 
> SUSE:SLE-11:GA                   mysql-connector-java  5.1.6
> 
> Also note that I can't do patch, so only version bump is possible.

This seems to be the upstream issue

> From b8acfd59baf2223814a48b6fb87ea95919da2b5f Mon Sep 17 00:00:00 2001
> From: Filipe Silva <filipe.silva@oracle.com>
> Date: Sat, 6 Dec 2014 13:36:41 +0000
> Subject: [PATCH] Fix for Bug#18925727, SQL INJECTION IN MYSQL JDBC DRIVER.

https://github.com/mysql/mysql-connector-j/commit/b8acfd59baf2223814a48b6fb87ea95919da2b5f

Does not apply cleanly to our version, but the code looks very similar. Is that something you could look at?

Comment 6 Swamp Workflow Management 2015-04-21 22:00:49 UTC

bugbot adjusting priority

Comment 7 Tomáš Chvátal 2015-04-22 09:53:26 UTC

(In reply to Andreas Stieger from comment #5)
> (In reply to Tomas Chvatal from comment #2)
> > SLE11 should be done too?
> > 
> > SUSE:SLE-11:GA                   mysql-connector-java  5.1.6
> > 
> > Also note that I can't do patch, so only version bump is possible.
> 
> This seems to be the upstream issue
> 
> > From b8acfd59baf2223814a48b6fb87ea95919da2b5f Mon Sep 17 00:00:00 2001
> > From: Filipe Silva <filipe.silva@oracle.com>
> > Date: Sat, 6 Dec 2014 13:36:41 +0000
> > Subject: [PATCH] Fix for Bug#18925727, SQL INJECTION IN MYSQL JDBC DRIVER.
> 
> https://github.com/mysql/mysql-connector-j/commit/
> b8acfd59baf2223814a48b6fb87ea95919da2b5f
> 
> Does not apply cleanly to our version, but the code looks very similar. Is
> that something you could look at?

Applying this cleanly is not a a big problem, but as happened in past they do followup commits which do not mention anythinging in the git log. So it is not really easy to be 100% sure we have all required stuff to fix the issue.
Thats why we have to stick with the version updates.

Anyway Java:packages/mysql-connector-java has WIP version bump. But currently it won't build, I fixed most of the issues and now have to figure out why CLASSPATH is not properly propagated there :/ Why the hell they have time to rewrite the buildsystem from scratch, but invest 0 time to port it to newer java is beyond me.

Comment 9 Bernhard Wiedemann 2015-05-13 18:00:09 UTC

This is an autogenerated message for OBS integration:
This bug (927981) was mentioned in
https://build.opensuse.org/request/show/307056 Factory / mysql-connector-java

Comment 10 Swamp Workflow Management 2015-05-29 15:05:59 UTC

openSUSE-SU-2015:0967-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 927981
CVE References: CVE-2015-2575
Sources used:
openSUSE 13.2 (src):    mysql-connector-java-5.1.35-3.3.1
openSUSE 13.1 (src):    mysql-connector-java-5.1.35-3.1

Comment 11 Rolf Krahl 2015-06-05 10:31:46 UTC

(In reply to Swamp Workflow Management from comment #10)
> openSUSE-SU-2015:0967-1: An update that fixes one vulnerability is now
> available.
> 
> Category: security (moderate)
> Bug References: 927981
> CVE References: CVE-2015-2575
> Sources used:
> openSUSE 13.2 (src):    mysql-connector-java-5.1.35-3.3.1
> openSUSE 13.1 (src):    mysql-connector-java-5.1.35-3.1

Looks like something has been screwed up in this update.  After installing with "zypper patch" on a openSUSE 13.1 box, an application using the eclipselink framework to persist objects in a MySQL database got broken.  It throws the following exception at startup:

| java.sql.SQLException: Error in allocating a connection. Cause: Class name is wrong or classpath is not set for : com.mysql.jdbc.jdbc2.optional.MysqlDataSource
| Error Code: 0
|         at org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.deploy(EntityManagerSetupImpl.java:762)
|         at org.eclipse.persistence.internal.jpa.EntityManagerFactoryDelegate.getAbstractSession(EntityManagerFactoryDelegate.java:204)
| [...]

Indeed, inspecting the jar file been installed by the patch, MysqlDataSource.class is missing:

| jar tf /usr/share/java/mysql-connector-java.jar | grep MysqlDataSource
| [no result]

This class was present in mysql-connector-java-5.1.25-1.1.noarch:

| jar tf mysql-connector-java.jar | grep MysqlDataSource
| com/mysql/jdbc/jdbc2/optional/MysqlDataSource.class
| com/mysql/jdbc/jdbc2/optional/MysqlDataSourceFactory.class

Consequently, reverting to this older version, the application works again.

I had a look on the release notes between 5.1.25 and 5.1.35 on Oracle's MySQL webpage.  There is no mention of a removal of MysqlDataSource.  In the current sources that one can download from Oracle, the MysqlDataSource.java source file is still present (I didn't try a build though).  So I assume the removal of this class was not intended.

Comment 12 Andreas Stieger 2015-06-05 11:14:00 UTC

(In reply to Rolf Krahl from comment #11)
> After installing
> with "zypper patch" on a openSUSE 13.1 box, an application using the
> eclipselink framework to persist objects in a MySQL database got broken.  It
> throws the following exception at startup:
> 
> | java.sql.SQLException: Error in allocating a connection. Cause: Class name
> is wrong or classpath is not set for :
> com.mysql.jdbc.jdbc2.optional.MysqlDataSource
> | Error Code: 0
> |         at
> org.eclipse.persistence.internal.jpa.EntityManagerSetupImpl.
> deploy(EntityManagerSetupImpl.java:762)
> |         at
> org.eclipse.persistence.internal.jpa.EntityManagerFactoryDelegate.
> getAbstractSession(EntityManagerFactoryDelegate.java:204)
> | [...]
> 
> Indeed, inspecting the jar file been installed by the patch,
> MysqlDataSource.class is missing:
> 
> | jar tf /usr/share/java/mysql-connector-java.jar | grep MysqlDataSource
> | [no result]
> 
> This class was present in mysql-connector-java-5.1.25-1.1.noarch:
> 
> | jar tf mysql-connector-java.jar | grep MysqlDataSource
> | com/mysql/jdbc/jdbc2/optional/MysqlDataSource.class
> | com/mysql/jdbc/jdbc2/optional/MysqlDataSourceFactory.class


Confirmed on openSUSE that class file is missing in binary jar but not in sources.
This would affect the SLE update of this package.

Comment 13 Robert CABANE 2015-06-07 09:59:21 UTC

This patch breaks the connection with Libreoffice Base. Reverting to 5.1.25 solves this issue (with a security risk).
Context :
- using Mariadb, not MySQL
- OpenSuSE 13.2
- Libreoffice 4.4.3.2 (from libreoffice.org)

Comment 14 Robert CABANE 2015-06-08 17:44:40 UTC

Just the same problem with Libreoffice Base as supplied by OpenSuSE, version 4.3.7.2.

Comment 15 Tomáš Chvátal 2015-06-11 15:22:24 UTC

Fixed by this sr https://build.opensuse.org/request/show/311653; Maintenance update for 13.1 and 13.2 also sent as mr#311659.

Comment 16 Andreas Stieger 2015-06-12 06:40:31 UTC

Rolf, Robert, could you kindly verify that the pending follow-up update in 
http://download.opensuse.org/update/13.2-test/
fixes the regression for your respective use cases:
http://download.opensuse.org/update/13.2-test/noarch/mysql-connector-java-5.1.35-3.6.1.noarch.rpm

Comment 17 Rolf Krahl 2015-06-12 18:13:07 UTC

(In reply to Andreas Stieger from comment #16)
> Rolf, Robert, could you kindly verify that the pending follow-up update in 
> http://download.opensuse.org/update/13.2-test/
> fixes the regression for your respective use cases:
> http://download.opensuse.org/update/13.2-test/noarch/mysql-connector-java-5.
> 1.35-3.6.1.noarch.rpm

I picked the one from http://download.opensuse.org/update/13.1-test/ since its a 13.1 box.  But I guess they are the same anyway.  Looks good!

Comment 18 Robert CABANE 2015-06-13 05:59:00 UTC

I agree, with 13.2 distribution in my case. Tested with Libreoffice 4.4.3.2.
Many thank you for this update, since that bug was a stopper for me.

Comment 19 Andreas Stieger 2015-06-15 08:44:35 UTC

Thanks both for confirming the resolution of the regression.

Comment 20 Andreas Stieger 2015-06-15 08:54:01 UTC

The follow-up updates should appear in the regular openSUSE 13.1 and 13.2 update repositories shortly.

Comment 21 Swamp Workflow Management 2015-06-15 09:05:21 UTC

openSUSE-RU-2015:1063-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 927981
CVE References: 
Sources used:
openSUSE 13.2 (src):    mysql-connector-java-5.1.35-3.6.1
openSUSE 13.1 (src):    mysql-connector-java-5.1.35-6.1

Comment 22 Eric Schirra 2015-06-17 13:19:48 UTC

It's not running fine

See https://bugzilla.opensuse.org/show_bug.cgi?id=934519

Comment 23 Andreas Stieger 2015-06-17 15:49:48 UTC

(In reply to Eric Schirra from comment #22)
> It's not running fine
> 
> See https://bugzilla.opensuse.org/show_bug.cgi?id=934519

As discussed there, you were missing openSUSE-RU-2015:1063-1.

Comment 24 Marcus Meissner 2016-08-01 15:17:20 UTC

done i think?

Comment 25 Tomáš Chvátal 2016-08-01 15:27:22 UTC

(In reply to Marcus Meissner from comment #24)
> done i think?

We didn't release this fro sle12? Or is it not needed?

Comment 26 Marcus Meissner 2016-08-01 15:31:44 UTC

Ah yes, not releasedf for sle11 and sle12.

(currently on pending updates. but if you want to submit, feel free)

Comment 28 Swamp Workflow Management 2016-09-07 15:09:20 UTC

SUSE-SU-2016:2259-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 927981
CVE References: CVE-2015-2575
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    mysql-connector-java-5.1.35-3.1

Comment 29 Swamp Workflow Management 2016-09-14 13:10:11 UTC

openSUSE-SU-2016:2304-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 927981
CVE References: CVE-2015-2575
Sources used:
openSUSE Leap 42.1 (src):    mysql-connector-java-5.1.35-6.1

Comment 30 Tomáš Chvátal 2016-11-30 10:11:04 UTC

I prodded the sle11 build more.
Mostly all deps are sattisfied but upstream switched to ant-1.8 or newer needed for the building (using local for variable definitions all around the place).

As the patches really are non-backportable what would be the best course of action, of course we can keep it as-is...

https://build.suse.de/package/show/home:scarabeus_iv:branches:SUSE:SLE-11:Update/mysql-connector-java