Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command-line: update MySQL driver to 8.0.16 due to CVE-2018-3258 #2426

Closed
skapilabmc opened this issue Jul 3, 2019 · 1 comment

Comments

@skapilabmc
Copy link

commented Jul 3, 2019

Which version and edition of Flyway are you using?
flyway 6.0.0-beta2

If this is not the latest version, can you reproduce the issue with the latest one as well?
This is latest version

Which client are you using? (Command-line, Java API, Maven plugin, Gradle plugin)
Command-line, Java API, Maven Plug-in

Which database are you using (type & version)?
Postgres

Which operating system are you using?
Dockers on CentOs

What did you do?
Security Scan was performed on our application which uses flyway

Hi,

The following vulnerability has been reported on flywaydb by our Sonatype Nexsus IQ Scanner during an internal security scanning. Please confirm if flywaydb is impacted by this? If yes, can you please update the jar and share a timeline for the same.

If flywaydb is not impacted then please provide your comments on why this is not impacted

Regards,
Srikanth

Details of the Vulnerability
Description from CVE

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Root Cause
flyway-commandline-6.0.0-beta2-linux-x64.tar.gz <= mysql-connector-java-8.0.12.jar : ( , 8.0.12]

Advisories
Project: http://www.oracle.com/technetwork/security-advisory/cpuoct20...
Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1640615

CVSS Details
CVE CVSS 3.0: 8.8

@axelfontaine

This comment has been minimized.

Copy link
Member

commented Jul 3, 2019

Thanks for the heads up! We'll update it to the latest version (8.0.16 or later) before 6.0.0 goes GA. In the meantime, the driver can already easily be upgraded by end users by replacing the bundled version with the latest version from https://search.maven.org/artifact/mysql/mysql-connector-java/8.0.16/jar

@axelfontaine axelfontaine changed the title CVE-2018-3258 Vulnerability reported on flywaydb by Sonatype Nexsus IQ Server Command-line: update MySQL driver to 8.0.16 due to CVE-2018-3258 Jul 3, 2019

juliahayward added a commit to flyway/flywaydb.org that referenced this issue Aug 1, 2019

@juliahayward juliahayward added r: fixed and removed t: bug labels Aug 1, 2019

MikielAgutu added a commit to flyway/flywaydb.org that referenced this issue Aug 13, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.