Oracle MySQL JDBC XXE vulnerability (CVE-2021-2471)


2021/08/24 :- The Alibaba Cloud security team officially reported the MySQL JDBC XXE vulnerability to Oracle

2021/08/24 :- Alibaba Cloud WAF update protection strategy

2021/10/20 :- Oracle officially released the vulnerability patch, assigned the CVE number CVE-2021-2471, and publicly thanked the Alibaba Cloud security team.

021/10/21:- Alibaba Cloud Security releases vulnerability risk tips.

Risk Level

Evaluation method grade

Threat level

High risk

Sphere of influence Wider

Difficulty of use


Vulnerability analysis

This vulnerability is due to the existence of the “getSource()” method that did not verify the incoming XML data before MySQL JDBC version 8.0.27, causing an attacker to introduce external entities into the XML data, causing an XXE attack.

Enter the getSource method and make a simple judgment. When it is of DOMSource type, use “DocumentBuilder“ to parse the XML data!

In this step, no security-related checksum judgment is made, and the object is instantiated directly, so that external entities can be introduced into XML, causing XXE attacks.

And in MySQL JDBC 8.0.27 version, the security attributes are set and the verification is done before the object is instantiated.

Vulnerability demonstration

Reference link

Original post written by Alibaba Cloud Emergency Response

Written by SH

Leave a Reply

Exit mobile version