Merge pull request #37019 from abstractj/issue-37018

Address CVE-2023-21971 present in MySQL connector
quarkusio · Nov 13, 2023 · 2d70282 · 2d70282
2 parents bae8086 + a8d766d
commit 2d70282
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/bom/application/pom.xml b/bom/application/pom.xml
@@ -129,7 +129,7 @@
         <h2.version>2.2.224</h2.version> <!-- When updating, needs to be matched in io.quarkus.hibernate.orm.runtime.config.DialectVersions -->
         <postgresql-jdbc.version>42.6.0</postgresql-jdbc.version>
         <mariadb-jdbc.version>3.2.0</mariadb-jdbc.version>
-        <mysql-jdbc.version>8.0.30</mysql-jdbc.version>
+        <mysql-jdbc.version>8.0.33</mysql-jdbc.version>
         <mssql-jdbc.version>12.4.0.jre11</mssql-jdbc.version>
         <adal4j.version>1.6.7</adal4j.version>
         <oracle-jdbc.version>23.3.0.23.09</oracle-jdbc.version>

diff --git a/...in/java/io/quarkus/jdbc/mysql/runtime/graal/com/mysql/cj/jdbc/MySQLJDBCSubstitutions.java b/...in/java/io/quarkus/jdbc/mysql/runtime/graal/com/mysql/cj/jdbc/MySQLJDBCSubstitutions.java
@@ -9,6 +9,14 @@
 @TargetClass(className = "com.mysql.cj.protocol.a.authentication.AuthenticationOciClient")
 final class AuthenticationOciClient {
 
+    @Substitute
+    private void loadOciConfig() {
+        throw ExceptionFactory
+                .createException("OciClient authentication is not available in Quarkus when compiling to native-image:" +
+                        " the MySQL JDBC driver team needs to cleanup the dependency requirements to make this possible." +
+                        " If you need this resolved, please open a support request.");
+    }
+
     @Substitute
     private void initializePrivateKey() {
         throw ExceptionFactory