Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Command-line: update MySQL driver to 8.0.16 due to CVE-2018-3258 #2426

Closed
skapilabmc opened this issue Jul 3, 2019 · 1 comment
Closed

Command-line: update MySQL driver to 8.0.16 due to CVE-2018-3258 #2426

skapilabmc opened this issue Jul 3, 2019 · 1 comment

Comments

@skapilabmc
Copy link

@skapilabmc skapilabmc commented Jul 3, 2019

Which version and edition of Flyway are you using?
flyway 6.0.0-beta2

If this is not the latest version, can you reproduce the issue with the latest one as well?
This is latest version

Which client are you using? (Command-line, Java API, Maven plugin, Gradle plugin)
Command-line, Java API, Maven Plug-in

Which database are you using (type & version)?
Postgres

Which operating system are you using?
Dockers on CentOs

What did you do?
Security Scan was performed on our application which uses flyway

Hi,

The following vulnerability has been reported on flywaydb by our Sonatype Nexsus IQ Scanner during an internal security scanning. Please confirm if flywaydb is impacted by this? If yes, can you please update the jar and share a timeline for the same.

If flywaydb is not impacted then please provide your comments on why this is not impacted

Regards,
Srikanth

Details of the Vulnerability
Description from CVE

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Root Cause
flyway-commandline-6.0.0-beta2-linux-x64.tar.gz <= mysql-connector-java-8.0.12.jar : ( , 8.0.12]

Advisories
Project: http://www.oracle.com/technetwork/security-advisory/cpuoct20...
Third Party: https://bugzilla.redhat.com/show_bug.cgi?id=1640615

CVSS Details
CVE CVSS 3.0: 8.8

@axelfontaine
Copy link
Contributor

@axelfontaine axelfontaine commented Jul 3, 2019

Thanks for the heads up! We'll update it to the latest version (8.0.16 or later) before 6.0.0 goes GA. In the meantime, the driver can already easily be upgraded by end users by replacing the bundled version with the latest version from https://search.maven.org/artifact/mysql/mysql-connector-java/8.0.16/jar

Loading

@axelfontaine axelfontaine changed the title CVE-2018-3258 Vulnerability reported on flywaydb by Sonatype Nexsus IQ Server Command-line: update MySQL driver to 8.0.16 due to CVE-2018-3258 Jul 3, 2019
juliahayward added a commit to flyway/flywaydb.org that referenced this issue Aug 1, 2019
MikielAgutu added a commit to flyway/flywaydb.org that referenced this issue Aug 13, 2019
dohrayme pushed a commit to dohrayme/flyway that referenced this issue Feb 3, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants