===================================================================== CERT-Renater Note d'Information No. 2021/VULN081 _____________________________________________________________________ DATE : 17/02/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running PostgreSQL JDBC versions prior to 42.3.3. ===================================================================== https://www.postgresql.org/about/news/postgresql-jdbc-4233-released-2410/ https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8 _____________________________________________________________________ PostgreSQL JDBC 42.3.3 Released Posted on 2022-02-17 by JDBC Project A security advisory has been created for the PostgreSQL JDBC Driver. The URL connection string loggerFile property could be mis-used to create an arbitrary file on the system that the driver is loaded. Additionally anything in the connection string will be logged and subsequently written into that file. In an insecure system it would be possible to execute this file through a webserver. While we do not consider this a security issue with the driver, we have decided to remove the loggerFile and loggerLevel connection properties in the next release of the driver. Removal of those properties does not make exposing the JDBC URL or connection properties to an attacker safe and we continue to suggest that applications do not allow untrusted users to specify arbitrary connection properties. We are removing them to prevent misuse and their functionality can be delegated to java.util.logging. The changelog is not very useful as the change was done behind a security advisory. The short version is that loggerFile and loggerLevel properties still exist but do not do anything. The PostgreSQL JDBC team would like to thank all that have participated in this release! The JDBC Team _____________________________________________________________________ Arbitrary File Write Vulnerability Moderate davecramer published GHSA-673j-qm5f-xpv8 Package org.postgresql (java) Affected versions 42.3.x, 42.1.x Patched versions 42.3.3 Description Overview The connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control. It's not the job of the pgjdbc driver to decide whether a given log file location is acceptable. End user applications that use the pgjdbc driver must ensure that filenames are valid and restrict unauthenticated attackers from being able to supply arbitrary values. That's not specific to the pgjdbc driver either, it would be true for any library that can write to the application's local file system. While we do not consider this a security issue with the driver, we have decided to remove the loggerFile and loggerLevel connection properties in the next release of the driver. Removal of those properties does not make exposing the JDBC URL or connection properties to an attacker safe and we continue to suggest that applications do not allow untrusted users to specify arbitrary connection properties. We are removing them to prevent misuse and their functionality can be delegated to java.util.logging. If you identify an application that allows remote users to specify a complete JDBC URL or properties without validating it's contents, we encourage you to notify the application owner as that may be a security defect in that specific application. Impact It is possible to specify an arbitrary filename in the loggerFileName connection parameter "jdbc:postgresql://localhost:5432/test?user=test&password=test&loggerLevel=DEBUG&loggerFile=./blah.jsp&<%Runtime.getRuntime().exec(request.getParameter("i"));%>" This creates a valid JSP file which could lead to a Remote Code Execution Patches Problem has not been patched Workarounds sanitize the inputs to the driver Reported by Allan Lou v3ged0ge@gmail.com ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================