Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED_MYSQL-CONNECTOR-JAVA-RHEL7.NASL
HistoryJun 03, 2024 - 12:00 a.m.

RHEL 7 : mysql-connector-java (Unpatched Vulnerability)

2024-06-0300:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
rhel 7
mysql-connector-java
unpatched vulnerability
oracle mysql
nessus
cve-2018-3258
cve-2015-2575
cve-2017-3523

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

6.4 Medium

AI Score

Confidence

Low

0.006 Low

EPSS

Percentile

77.9%

JSON

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  • mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258)

  • Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J. (CVE-2015-2575)

  • Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. (CVE-2017-3523)

Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory mysql-connector-java. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(199365);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/03");

  script_cve_id(
    "CVE-2015-2575",
    "CVE-2017-3523",
    "CVE-2017-3586",
    "CVE-2017-3589",
    "CVE-2018-3258",
    "CVE-2019-2692",
    "CVE-2020-2875",
    "CVE-2020-2933",
    "CVE-2020-2934"
  );

  script_name(english:"RHEL 7 : mysql-connector-java (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258)

  - Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows
    remote authenticated users to affect confidentiality and integrity via unknown vectors related to
    Connector/J. (CVE-2015-2575)

  - Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported
    versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low
    privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the
    vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful
    attacks of this vulnerability can result in takeover of MySQL Connectors. (CVE-2017-3523)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-3258");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/06/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-connector-java");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'mysql-connector-java', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'mysql-connector-java'}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'mysql-connector-java');
}
VendorProductVersionCPE
redhatenterprise_linuxmysql-connector-javap-cpe:/a:redhat:enterprise_linux:mysql-connector-java
redhatenterprise_linux7cpe:/o:redhat:enterprise_linux:7

Related

nessus 30
openvas 26
debian 8
osv 12
mageia 3
suse 2
fedora 4
freebsd 1
debiancve 9
veracode 7
cve 9
github 6
ubuntucve 9
prion 9
nvd 9
cvelist 9
ibm 8
redhatcve 8
amazon 1
redhat 6
f5 3
gentoo 1
securityvulns 1
oracle 6
nessus
nessus
RHEL 6 : mysql-connector-java (Unpatched Vulnerability)
2024-06-03 00:00:00
RHEL 6 : mysql-connector-java (Unpatched Vulnerability)
2024-05-11 00:00:00
openSUSE Security Update : mysql-connector-java (openSUSE-2018-248)
2018-03-13 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-945-1)
2018-01-24 00:00:00
Mageia: Security Advisory (MGASA-2017-0382)
2022-01-28 00:00:00
openSUSE: Security Advisory for mysql-connector-java (openSUSE-SU-2021:1126-1)
2021-08-11 00:00:00
debian
debian
[SECURITY] [DLA 945-1] mysql-connector-java security update
2017-05-16 22:52:19
[SECURITY] [DLA 2245-1] mysql-connector-java security update
2020-06-11 18:29:24
[SECURITY] [DSA 4703-1] mysql-connector-java security update
2020-06-11 17:47:17
osv
osv
mysql-connector-java - security update
2017-05-16 00:00:00
mysql-connector-java - security update
2020-06-11 00:00:00
mysql-connector-java - security update
2020-06-11 00:00:00
mageia
mageia
Updated mysql-connector-java packages fix security vulnerabilities
2017-10-24 08:50:58
Updated mysql-connector-java package fixes security vulnerability
2015-07-05 20:22:03
Updated mysql-connector-java package fixes security vulnerability
2020-09-21 22:45:58
suse
suse
Security update for mysql-connector-java (moderate)
2021-08-05 00:00:00
Security update for mysql-connector-java (moderate)
2021-08-10 00:00:00
fedora
fedora
[SECURITY] Fedora 32 Update: mysql-connector-java-8.0.21-1.fc32
2020-09-03 16:40:47
[SECURITY] Fedora 33 Update: mysql-connector-java-8.0.21-1.fc33
2020-09-25 17:06:39
[SECURITY] Fedora 29 Update: mysql-connector-java-8.0.13-1.fc29
2018-11-10 03:21:23
freebsd
freebsd
MySQL Client -- Multiple vulerabilities
2020-04-14 00:00:00
debiancve
debiancve
CVE-2015-2575
2015-04-16 17:00:00
CVE-2017-3589
2017-04-24 19:59:00
CVE-2017-3523
2017-04-24 19:59:00
veracode
veracode
SQL Injection
2017-08-22 17:48:40
Improper Automatic Deserialization
2017-04-25 03:05:38
Authorization Bypass
2018-11-21 01:26:31
cve
cve
CVE-2015-2575
2015-04-16 17:00:07
CVE-2017-3523
2017-04-24 19:59:03
CVE-2017-3589
2017-04-24 19:59:05
github
github
Improper Access Control in MySQL Connectors Java
2022-05-17 00:25:07
Improper Access Control in MySQL Connectors Java
2022-05-13 01:45:34
Improper Privilege Management in MySQL Connectors Java
2022-05-13 01:52:26
ubuntucve
ubuntucve
CVE-2015-2575
2015-04-16 00:00:00
CVE-2017-3523
2017-04-24 00:00:00
CVE-2017-3589
2017-04-24 00:00:00
prion
prion
Code injection
2015-04-16 17:00:00
Design/Logic Flaw
2017-04-24 19:59:00
Code injection
2018-10-17 01:31:00
nvd
nvd
CVE-2015-2575
2015-04-16 17:00:07
CVE-2017-3523
2017-04-24 19:59:03
CVE-2017-3589
2017-04-24 19:59:05
cvelist
cvelist
CVE-2015-2575
2015-04-16 16:00:00
CVE-2017-3523
2017-04-24 19:00:00
CVE-2018-3258
2018-10-17 01:00:00
ibm
ibm
Security Bulletin: Security vulnerability has been identified in Oracle MySQL shipped with IBM Tivoli Network Manager IP Edition (CVE-2017-3523)
2018-06-17 15:41:31
Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Oracle products ( CVE-2020-2934, CVE-2022-21363)
2023-05-17 22:08:39
Security Bulletin: Multiple Vulnerabilities identified in IBM StoredIQ
2020-02-20 12:42:12
redhatcve
redhatcve
CVE-2017-3589
2017-04-21 10:18:13
CVE-2017-3523
2017-04-24 08:48:14
CVE-2018-3258
2019-10-09 11:57:57
amazon
amazon
Medium: mysql-connector-java
2023-04-13 19:28:00
redhat
redhat
(RHSA-2020:4960) Moderate: Red Hat Decision Manager 7.9.0 security update
2020-11-05 18:43:06
(RHSA-2020:4961) Moderate: Red Hat Process Automation Manager 7.9.0 security update
2020-11-05 18:44:42
(RHSA-2019:1545) Important: Red Hat Fuse 7.3.1 security update
2019-06-18 19:49:16
f5
f5
K63470526 : MySQL vulnerabilities CVE-2018-3203, CVE-2018-3212, CVE-2018-3247, CVE-2018-3251, and CVE-2018-3258
2018-11-16 00:00:00
K17115 : Multiple MySQL vulnerabilities
2015-10-20 00:00:00
SOL17115 - Multiple MySQL vulnerabilities
2015-08-14 00:00:00
gentoo
gentoo
MySQL: Multiple vulnerabilities
2021-05-26 00:00:00
securityvulns
securityvulns
Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities
2015-04-17 00:00:00
oracle
oracle
Oracle Critical Patch Update - April 2015
2015-04-14 00:00:00
Oracle Critical Patch Update Advisory - April 2017
2017-04-18 00:00:00
Oracle Critical Patch Update Advisory - April 2020
2020-04-14 00:00:00

6.5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

6.4 Medium

AI Score

Confidence

Low

0.006 Low

EPSS

Percentile

77.9%

JSON
Related for REDHAT_UNPATCHED_MYSQL-CONNECTOR-JAVA-RHEL7.NASL
nessus30openvas26debian8osv12mageia3suse2fedora4freebsd1debiancve9veracode7cve9github6ubuntucve9prion9nvd9cvelist9ibm8redhatcve8amazon1redhat6f53gentoo1securityvulns1oracle6