2021/08/24 :- The Alibaba Cloud security team officially reported the MySQL JDBC XXE vulnerability to Oracle
2021/08/24 :- Alibaba Cloud WAF update protection strategy
2021/10/20 :- Oracle officially released the vulnerability patch, assigned the CVE number CVE-2021-2471, and publicly thanked the Alibaba Cloud security team.
021/10/21:- Alibaba Cloud Security releases vulnerability risk tips.
|Sphere of influence||Wider|
Difficulty of use
This vulnerability is due to the existence of the “getSource()” method that did not verify the incoming XML data before MySQL JDBC version 8.0.27, causing an attacker to introduce external entities into the XML data, causing an XXE attack.
Enter the getSource method and make a simple judgment. When it is of DOMSource type, use “DocumentBuilder“ to parse the XML data!
In this step, no security-related checksum judgment is made, and the object is instantiated directly, so that external entities can be introduced into XML, causing XXE attacks.
And in MySQL JDBC 8.0.27 version, the security attributes are set and the verification is done before the object is instantiated.
Original post written by Alibaba Cloud Emergency Response
GIPHY App Key not set. Please check settings