Timeline
2021/08/24 :- The Alibaba Cloud security team officially reported the MySQL JDBC XXE vulnerability to Oracle
2021/08/24 :- Alibaba Cloud WAF update protection strategy
2021/10/20 :- Oracle officially released the vulnerability patch, assigned the CVE number CVE-2021-2471, and publicly thanked the Alibaba Cloud security team.
021/10/21:- Alibaba Cloud Security releases vulnerability risk tips.
Risk Level
| Evaluation method | grade |
|
Threat level |
High risk |
| Sphere of influence | Wider |
|
Difficulty of use |
Low |
Vulnerability analysis
This vulnerability is due to the existence of the “getSource()” method that did not verify the incoming XML data before MySQL JDBC version 8.0.27, causing an attacker to introduce external entities into the XML data, causing an XXE attack.
Enter the getSource method and make a simple judgment. When it is of DOMSource type, use “DocumentBuilder“ to parse the XML data!
In this step, no security-related checksum judgment is made, and the object is instantiated directly, so that external entities can be introduced into XML, causing XXE attacks.
And in MySQL JDBC 8.0.27 version, the security attributes are set and the verification is done before the object is instantiated.
Vulnerability demonstration
Reference link
https://www.oracle.com/security-alerts/cpuoct2021.html
Original post written by Alibaba Cloud Emergency Response
https://mp.weixin.qq.com/s/erIFMiPNB2XSBJSqXyxuKg
