This week, Oracle released a patch for a security issue that was found by Thijs Alkemade, one of our security specialists. Thijs discovered that the MySQL Connector/J allows for an attacker to compromise the system (gain arbitrary code execution) under some conditions. We reported the issue to Oracle, and it was assigned CVE-2017-3523 and patched. The fix was released in February, with a Critical Patch Update including this fix on April 18.

More details can be found in our advisory on https://www.computest.nl/advisories/CT-2017-0425_MySQL-Connector-J.txt