Vulnerability-Lookup

RHSA-2026:4285

Vulnerability from csaf_redhat - Published: 2026-03-11 10:47 - Updated: 2026-04-08 13:34

Summary

Red Hat Security Advisory: Red Hat build of Debezium 3.2.7 release

Severity

Important

Notes

Topic: Red Hat build of Debezium connectors in version 3.2.7 are now available for Red Hat Application Foundations.

Details: Debezium is a distributed platform that turns your existing databases into event streams, so applications can see and respond immediately to each row-level change in the databases. Debezium is built on top of Apache Kafka and provides Kafka Connect compatible connectors that monitor specific database management systems. Debezium records the history of data changes in Kafka logs, from where your application consumes them. This makes it possible for your application to easily consume all of the events correctly and completely. Even if your application stops unexpectedly, it will not miss anything: when the application restarts, it will resume consuming the events where it left off. In addition this errata fixes two security issues mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects (CVE-2026-27727) c3p0: Arbitrary Code Execution via deserialization of crafted objects (CVE-2026-27830)

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2026-27727

A flaw was found in mchange-commons-java, a Java utility library. An attacker can exploit this vulnerability by providing a maliciously crafted `javax.naming.Reference` or serialized object to an application using the library. This can provoke the application to download and execute arbitrary malicious code due to mchange-commons-java's independent implementation of Java Naming and Directory Interface (JNDI) dereferencing, which supports remote code loading. This could lead to arbitrary code execution within the affected application.

8.3 (High)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

Vendor Fix To apply this update, follow the standard installation procedure for your platform: * https://docs.redhat.com/en/documentation/red_hat_build_of_debezium/3.2.7/html-single/installing_debezium_on_openshift/index * https://docs.redhat.com/en/documentation/red_hat_build_of_debezium/3.2.7/html-single/installing_debezium_on_rhel/index https://access.redhat.com/errata/RHSA-2026:4285

Workaround Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

CVE-2026-27830

A flaw was found in c3p0, a Java Database Connectivity (JDBC) Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or `javax.naming.Reference` instances. By manipulating the `userOverridesAsString` property, an attacker can cause the application to download and execute malicious code from a remote location on its CLASSPATH.

8.0 (High)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-502 - Deserialization of Untrusted Data

References

URL

Category

	https://access.redhat.com/errata/RHSA-2026:4285	self
	https://access.redhat.com/security/updates/classi…	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2026-27727	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2442671	external
	https://www.cve.org/CVERecord?id=CVE-2026-27727	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-27727	external
	https://github.com/swaldman/mchange-commons-java/…	external
	https://mogwailabs.de/en/blog/2025/02/c3p0-you-li…	external
	https://www.mchange.com/projects/c3p0/#configurin…	external
	https://www.mchange.com/projects/c3p0/#security-note	external
	https://access.redhat.com/security/cve/CVE-2026-27830	self
	https://bugzilla.redhat.com/show_bug.cgi?id=2442908	external
	https://www.cve.org/CVERecord?id=CVE-2026-27830	external
	https://nvd.nist.gov/vuln/detail/CVE-2026-27830	external
	https://github.com/swaldman/c3p0/commit/e14cbd816…	external
	https://github.com/swaldman/c3p0/security/advisor…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Red Hat build of Debezium connectors in version 3.2.7 are now available for Red Hat Application Foundations.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Debezium is a distributed platform that turns your existing databases into event streams, so applications can see and respond immediately to each row-level change in the databases.\n\nDebezium is built on top of Apache Kafka and provides Kafka Connect compatible connectors that monitor specific database management systems. Debezium records the history of data changes in Kafka logs, from where your application consumes them. This makes it possible for your application to easily consume all of the events correctly and completely. Even if your application stops unexpectedly, it will not miss anything: when the application restarts, it will resume consuming the events where it left off.\n\nIn addition this errata fixes two security issues\n\nmchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects (CVE-2026-27727)\nc3p0: Arbitrary Code Execution via deserialization of crafted objects (CVE-2026-27830)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:4285",
        "url": "https://access.redhat.com/errata/RHSA-2026:4285"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_4285.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat build of Debezium 3.2.7 release",
    "tracking": {
      "current_release_date": "2026-04-08T13:34:45+00:00",
      "generator": {
        "date": "2026-04-08T13:34:45+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.5"
        }
      },
      "id": "RHSA-2026:4285",
      "initial_release_date": "2026-03-11T10:47:34+00:00",
      "revision_history": [
        {
          "date": "2026-03-11T10:47:34+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-03-11T10:47:34+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-04-08T13:34:45+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Build of Debezium 3.2",
                "product": {
                  "name": "Red Hat Build of Debezium 3.2",
                  "product_id": "Red Hat Build of Debezium 3.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:debezium:3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Integration"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-27727",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2026-02-25T17:04:31.254239+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2442671"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in mchange-commons-java, a Java utility library. An attacker can exploit this vulnerability by providing a maliciously crafted `javax.naming.Reference` or serialized object to an application using the library. This can provoke the application to download and execute arbitrary malicious code due to mchange-commons-java\u0027s independent implementation of Java Naming and Directory Interface (JNDI) dereferencing, which supports remote code loading. This could lead to arbitrary code execution within the affected application.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Build of Debezium 3.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-27727"
        },
        {
          "category": "external",
          "summary": "RHBZ#2442671",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442671"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-27727",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-27727"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27727",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27727"
        },
        {
          "category": "external",
          "summary": "https://github.com/swaldman/mchange-commons-java/security/advisories/GHSA-m2cm-222f-qw44",
          "url": "https://github.com/swaldman/mchange-commons-java/security/advisories/GHSA-m2cm-222f-qw44"
        },
        {
          "category": "external",
          "summary": "https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal",
          "url": "https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal"
        },
        {
          "category": "external",
          "summary": "https://www.mchange.com/projects/c3p0/#configuring_security",
          "url": "https://www.mchange.com/projects/c3p0/#configuring_security"
        },
        {
          "category": "external",
          "summary": "https://www.mchange.com/projects/c3p0/#security-note",
          "url": "https://www.mchange.com/projects/c3p0/#security-note"
        }
      ],
      "release_date": "2026-02-25T16:01:04.187000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-11T10:47:34+00:00",
          "details": "To apply this update, follow the standard installation procedure for your platform:\n\n* https://docs.redhat.com/en/documentation/red_hat_build_of_debezium/3.2.7/html-single/installing_debezium_on_openshift/index\n*\nhttps://docs.redhat.com/en/documentation/red_hat_build_of_debezium/3.2.7/html-single/installing_debezium_on_rhel/index",
          "product_ids": [
            "Red Hat Build of Debezium 3.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4285"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
          "product_ids": [
            "Red Hat Build of Debezium 3.2"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.3,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Build of Debezium 3.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "com.mchange/mchange-commons-java: mchange-commons-java: Arbitrary code execution via JNDI dereferencing of crafted objects"
    },
    {
      "cve": "CVE-2026-27830",
      "cwe": {
        "id": "CWE-502",
        "name": "Deserialization of Untrusted Data"
      },
      "discovery_date": "2026-02-26T01:01:56.834884+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2442908"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in c3p0, a Java Database Connectivity (JDBC) Connection pooling library. This vulnerability allows an attacker to achieve arbitrary code execution by providing maliciously crafted Java-serialized objects or `javax.naming.Reference` instances. By manipulating the `userOverridesAsString` property, an attacker can cause the application to download and execute malicious code from a remote location on its CLASSPATH.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat Build of Debezium 3.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-27830"
        },
        {
          "category": "external",
          "summary": "RHBZ#2442908",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2442908"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-27830",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-27830"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-27830",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27830"
        },
        {
          "category": "external",
          "summary": "https://github.com/swaldman/c3p0/commit/e14cbd8166e423e2e9a9d6f08b2add3433492d6e",
          "url": "https://github.com/swaldman/c3p0/commit/e14cbd8166e423e2e9a9d6f08b2add3433492d6e"
        },
        {
          "category": "external",
          "summary": "https://github.com/swaldman/c3p0/security/advisories/GHSA-5476-xc4j-rqcv",
          "url": "https://github.com/swaldman/c3p0/security/advisories/GHSA-5476-xc4j-rqcv"
        },
        {
          "category": "external",
          "summary": "https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal",
          "url": "https://mogwailabs.de/en/blog/2025/02/c3p0-you-little-rascal"
        },
        {
          "category": "external",
          "summary": "https://www.mchange.com/projects/c3p0/#configuring_security",
          "url": "https://www.mchange.com/projects/c3p0/#configuring_security"
        },
        {
          "category": "external",
          "summary": "https://www.mchange.com/projects/c3p0/#security-note",
          "url": "https://www.mchange.com/projects/c3p0/#security-note"
        }
      ],
      "release_date": "2026-02-26T00:45:18.222000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-03-11T10:47:34+00:00",
          "details": "To apply this update, follow the standard installation procedure for your platform:\n\n* https://docs.redhat.com/en/documentation/red_hat_build_of_debezium/3.2.7/html-single/installing_debezium_on_openshift/index\n*\nhttps://docs.redhat.com/en/documentation/red_hat_build_of_debezium/3.2.7/html-single/installing_debezium_on_rhel/index",
          "product_ids": [
            "Red Hat Build of Debezium 3.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:4285"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.0,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat Build of Debezium 3.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "c3p0: c3p0: Arbitrary Code Execution via deserialization of crafted objects"
    }
  ]
}

CVE-2026-27727 (GCVE-0-2026-27727)

Vulnerability from cvelistv5 – Published: 2026-02-25 16:01 – Updated: 2026-02-25 20:15

Title

mchange-commons-java: Remote Code Execution via JNDI Reference Resolution

Summary

mchange-commons-java, a library that provides Java utilities, includes code that mirrors early implementations of JNDI functionality, including support for remote `factoryClassLocation` values, by which code can be downloaded and invoked within a running application. If an attacker can provoke an application to read a maliciously crafted `jaxax.naming.Reference` or serialized object, they can provoke the download and execution of malicious code. Implementations of this functionality within the JDK were disabled by default behind a System property that defaults to `false`, `com.sun.jndi.ldap.object.trustURLCodebase`. However, since mchange-commons-java includes an independent implementation of JNDI derefencing, libraries (such as c3p0) that resolve references via that implementation could be provoked to download and execute malicious code even after the JDK was hardened. Mirroring the JDK patch, mchange-commons-java's JNDI functionality is gated by configuration parameters that default to restrictive values starting in version 0.4.0. No known workarounds are available. Versions prior to 0.4.0 should be avoided on application CLASSPATHs.

Severity ?

8.9 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	swaldman	mchange-commons-java	Affected: < 0.4.0

CVE-2026-27830 (GCVE-0-2026-27830)

Vulnerability from cvelistv5 – Published: 2026-02-26 00:45 – Updated: 2026-02-27 16:25

Title

c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property

Summary

c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and `javax.naming.Reference` instances. Several c3p0 `ConnectionPoolDataSource` implementations have a property called `userOverridesAsString` which conceptually represents a `Map<String,Map<String,String>>`. Prior to v0.12.0, that property was maintained as a hex-encoded serialized object. Any attacker able to reset this property, on an existing `ConnectionPoolDataSource` or via maliciously crafted serialized objects or `javax.naming.Reference` instances could be tailored execute unexpected code on the application's `CLASSPATH`. The danger of this vulnerability was strongly magnified by vulnerabilities in c3p0's main dependency, mchange-commons-java. This library includes code that mirrors early implementations of JNDI functionality, including ungated support for remote `factoryClassLocation` values. Attackers could set c3p0's `userOverridesAsString` hex-encoded serialized objects that include objects "indirectly serialized" via JNDI references. Deserialization of those objects and dereferencing of the embedded `javax.naming.Reference` objects could provoke download and execution of malicious code from a remote `factoryClassLocation`. Although hazard presented by c3p0's vulnerabilites are exarcerbated by vulnerabilities in mchange-commons-java, use of Java-serialized-object hex as the format for a writable Java-Bean property, of objects that may be exposed across JNDI interfaces, represents a serious independent fragility. The `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` classes has been reimplemented to use a safe CSV-based format, rather than rely upon potentially dangerous Java object deserialization. c3p0-0.12.0+ and above depend upon mchange-commons-java 0.4.0+, which gates support for remote `factoryClassLocation` values by configuration parameters that default to restrictive values. c3p0 additionally enforces the new mchange-commons-java `com.mchange.v2.naming.nameGuardClassName` to prevent injection of unexpected, potentially remote JNDI names. There is no supported workaround for versions of c3p0 prior to 0.12.0.

Severity ?

8.9 (High)


                        
                          CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-502 - Deserialization of Untrusted Data
CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

URL

	Vendor	Product	Version
	swaldman	c3p0	Affected: < 0.12.0

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2026:4285

CVE-2026-27727 (GCVE-0-2026-27727)

CVE-2026-27830 (GCVE-0-2026-27830)

Tags

Sightings

Nomenclature