The issue existed in the java.sql.DriverManager.getConnection() method when used with untrusted inputs. The connection property propertiesTransform can be abused to load and execute arbitrary classes. The following example illustrates the vulnerability:

conn = DriverManager.getConnection("jdbc:mysql://localhost/test?" + "user=test&password=test&propertiesTransform=com.example.MyArbitraryClass");

In this example, the static initializer of com.example.MyArbitraryClass will be executed even if the class does not implement the ConnectionPropertiesTransform interface.

Impact

The discovered vulnerability allows attackers to compromise MySQL connectors. Successful attacks of this vulnerability can result in the following:

Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors.
Unauthorized update, insert or delete access to some of MySQL Connectors' accessible data.
Unauthorized read access to a subset of MySQL Connectors accessible data.
Arbitrary code execution.

Patches

1.1.13+ (https://github.com/awslabs/aws-mysql-jdbc/releases/tag/1.1.13)

Workarounds

No. Please upgrade the driver to 1.1.13+.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-21971