Vulnerability Name:

CVE-2021-2471 (CCN-211603)

Assigned:2020-12-09
Published:2021-10-19
Updated:2022-04-28
Summary:Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): High
5.9 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H)
5.2 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:7.9 High (CVSS v2 Vector: AV:N/AC:M/Au:S/C:C/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): Complete
6.6 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Other
References:Source: MITRE
Type: CNA
CVE-2021-2471

Source: XF
Type: UNKNOWN
oracle-cpuoct2021-cve20212471(211603)

Source: CCN
Type: IBM Security Bulletin 6563573 (Security Guardium)
IBM Security Guardium is affected by multiple vulnerabilities

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: MISC
Type: Vendor Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oracle:communications_cloud_native_core_console:1.9.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_policy:1.15.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.7.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:mysql_connectors:*:*:*:*:*:*:*:* (Version >= 8.0.0 and <= 8.0.26)

    • Configuration 2:
  • cpe:/a:quarkus:quarkus:*:*:*:*:*:*:*:* (Version < 2.2.4)
  • OR cpe:/a:quarkus:quarkus:*:*:*:*:*:*:*:* (Version >= 2.3.0 and < 2.6.0)

    • Configuration CCN 1:
  • cpe:/a:oracle:mysql_connectors:2.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:mysql_connectors:5.1.41:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:mysql_connectors:6.1.10:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:mysql_connectors:2.1.8:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:mysql_connectors:8.0.13:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:security_guardium:10.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:10.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium:11.3:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:5214
    P
    		Security update for mysql-connector-java (Moderate)
    2022-04-11
    BACK
    oracle communications cloud native core console 1.9.0
    oracle communications cloud native core network slice selection function 1.8.0
    oracle communications cloud native core policy 1.15.0
    oracle communications cloud native core security edge protection proxy 1.7.0
    oracle mysql connectors *
    quarkus quarkus *
    quarkus quarkus *
    oracle mysql connectors 2.1.5
    oracle mysql connectors 5.1.41
    oracle mysql connectors 6.1.10
    oracle mysql connectors 2.1.8
    oracle mysql connectors 8.0.13
    ibm security guardium 10.5
    ibm security guardium 10.6
    ibm security guardium 11.0
    ibm security guardium 11.1
    ibm security guardium 11.2
    ibm security guardium 11.3