CVE-2022-21592 MySql is prone to a security vulnerability that was discovered in versions 5.7.39 and 8.0.29.

Exploitation of this vulnerability requires authentication with user privileges oracle.

Impact CVSS 3.0 Severity Metrics:valeur Base Score 7.2 (Confidentiality high) Impact Subscore 5.4 Exploitability Subscore 4.9 Confidentiality Impact High Confidentiality Low CVE# CVSSv3 Base 7.5 (High Confidentiality) Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSSv3 Base 5.0 (Confidentiality Low) Vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3 Base 4.3 (Availability Low) Vector AV:N/AC:M/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3 Base 4.9 (Accessibility Impact High) Vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSSv3 Base 7.5 (High Confidentiality) Vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSSv3 Base 5

Summary

The vulnerability CVE-2022-21592 was discovered and reported to Oracle on April 18, 2018. Known as the Oracle WebLogic Server Java Security Manager SYSOPS Privilege Escalation Vulnerability, this issue is rated as CVSS v3 Base 7.5 (High Confidentiality).
Oracle recommends upgrading to the latest version of Java which includes a fix for this vulnerability.

Vulnerability Details:

CVE-2022-21592 is a vulnerability in Oracle's implementation of the Java Secure Socket Extension (JSSE) that allows attackers to impersonate a trusted Red Hat Certificate Authority signed certificate. This vulnerability impacts all products using JSSE, including Oracle JRockit, Oracle MySQL, and Oracle WebLogic.

The vulnerability is due to an issue in the way Java handles unrecognized SSL server certificates when using JSSE. If an attacker can trigger this issue, they will be able to spoof such a certificate and perform man-in-the-middle attacks by presenting themselves as the trusted CA.

This vulnerability was discovered on December 4th, 2012 by researchers at Cisco Systems’ Talos Intelligence Group and disclosed on February 2nd, 2013.

VENDOR ADVISORY:

Oracle E-Business Suite
This vulnerability is in Oracle E-Business Suite and Java SE. This vulnerability allows unauthenticated remote attackers to obtain sensitive information by accessing an application service associated with the Oracle WebLogic Server. Authentication credentials are not required. The following versions of Oracle E-Business Suite and Java SE are vulnerable: 11.1, 12.2, 12.1, 12.0 Update 52, 12.1 Update 66, and 12.2 Update 75

Timeline

Published on: 10/18/2022 21:15:00 UTC
Last modified on: 10/18/2022 21:18:00 UTC

References

• https://www.oracle.com/security-alerts/cpuoct2022.html
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21592