CVE-2023-22102 Overview
CVE-2023-22102 is a high-severity vulnerability in the Oracle MySQL Connectors product, specifically in the Connector/J component. The flaw affects MySQL Connector/J versions 8.1.0 and prior. An unauthenticated attacker with network access can compromise MySQL Connectors when a user is tricked into interacting with attacker-controlled input. Successful exploitation results in takeover of MySQL Connectors and produces a scope change that may impact additional products. NetApp OnCommand Insight also bundles the affected component and inherits exposure. The vulnerability is classified under [CWE-284] Improper Access Control.
Critical Impact
Successful exploitation enables full takeover of MySQL Connectors with confidentiality, integrity, and availability impact, and the scope change may affect downstream applications that embed Connector/J.
Affected Products
- Oracle MySQL Connector/J versions 8.1.0 and prior
- NetApp OnCommand Insight (bundles affected Connector/J)
- Java applications using vulnerable Connector/J releases
Discovery Timeline
- 2023-10-17 - CVE-2023-22102 published to NVD as part of Oracle's October 2023 Critical Patch Update
- 2025-03-06 - Last updated in NVD database
Technical Details for CVE-2023-22102
Vulnerability Analysis
The vulnerability resides in Oracle MySQL Connector/J, the official Java Database Connectivity (JDBC) driver for MySQL. Connector/J translates JDBC calls into the MySQL wire protocol, so any flaw in the driver affects every Java application using it to reach a MySQL server. The advisory classifies the issue as improper access control [CWE-284] with confidentiality, integrity, and availability impact.
Exploitation requires user interaction, such as a developer or operator connecting to an attacker-controlled MySQL endpoint or processing attacker-supplied connection parameters. Because the flaw produces a scope change, an attacker who compromises the driver can pivot into the host Java application and influence resources outside the driver's security domain. The EPSS probability is 3.49% (87.7th percentile), indicating elevated exploitation likelihood relative to the average CVE.
Root Cause
Oracle's advisory does not publish source-level details. The CWE-284 mapping and scope change indicate that Connector/J fails to properly enforce access boundaries on data or operations it receives from a remote MySQL endpoint, allowing a malicious server or crafted response to influence the calling Java process beyond the driver's intended trust boundary.
Attack Vector
The attack vector is network-based and unauthenticated, but exploitation is rated as high complexity and requires user interaction. A typical scenario involves a victim Java application connecting to a malicious MySQL endpoint or being induced to load attacker-influenced connection properties. The malicious server then returns crafted protocol responses that subvert the driver and affect the host application. Refer to the Oracle October 2023 Security Alerts and NetApp Security Advisory NTAP-20231027-0007 for vendor-confirmed details.
Detection Methods for CVE-2023-22102
Indicators of Compromise
- Java applications loading mysql-connector-j JAR files at version 8.1.0 or earlier
- Outbound JDBC connections from application servers to untrusted or unexpected MySQL hosts on TCP/3306
- Unexpected child processes, file writes, or class loading originating from JVMs running Connector/J
- Connection strings sourced from user-controlled configuration files, URL parameters, or environment variables
Detection Strategies
- Inventory all Java applications and identify embedded mysql-connector-j or mysql-connector-java artifacts using software composition analysis (SCA) tools
- Scan container images, build artifacts, and pom.xml/build.gradle manifests for vulnerable Connector/J versions
- Monitor JVM runtime behavior for anomalous network destinations or deserialization activity triggered from JDBC calls
Monitoring Recommendations
- Alert on JDBC connections to MySQL hosts outside an approved allowlist
- Log and review changes to JDBC connection strings stored in configuration management or secrets stores
- Correlate process telemetry from Java application hosts with outbound TCP/3306 traffic to identify suspicious connection targets
How to Mitigate CVE-2023-22102
Immediate Actions Required
- Upgrade Oracle MySQL Connector/J to version 8.2.0 or later as directed by the Oracle October 2023 Critical Patch Update
- Apply NetApp's fix for OnCommand Insight per advisory NTAP-20231027-0007
- Audit application dependencies and rebuild affected artifacts after upgrading the driver
Patch Information
Oracle released a fixed version of MySQL Connector/J in the October 2023 Critical Patch Update. Consult the Oracle October 2023 Security Alerts for the authoritative patched version and download instructions. NetApp customers should follow NetApp Security Advisory NTAP-20231027-0007 for product-specific remediation guidance.
Workarounds
- Restrict Java applications to connect only to trusted, internally controlled MySQL servers using network egress controls
- Disable or block end-user influence over JDBC connection URLs and properties
- Enforce TLS with strict certificate validation on all MySQL connections to reduce exposure to rogue servers
- Run Java application services under least-privilege accounts to limit impact from scope-change exploitation
# Example: verify the Connector/J version present in a build
mvn dependency:tree | grep mysql-connector-j
# Example: enforce upgrade in Maven
# <dependency>
# <groupId>com.mysql</groupId>
# <artifactId>mysql-connector-j</artifactId>
# <version>8.2.0</version>
# </dependency>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
