Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 3 Apr 2024 00:39:06 +0200
From: daniel <sd@....eu>
To: oss-security@...ts.openwall.com
Subject: CVE-2024-1597: PostgreSQL pgjdbc: SQL injection in non-default
 configuration

###
##	Summary
###
On the 21st of February 2024 a security advisory for the JDBC driver of 
PosgreSQL was published [1].
Which states: "SQL injection is possible when using the non-default 
connection property preferQueryMode=simple in combination with 
application code that has a vulnerable SQL that negates a parameter value."
Corresponding fixes were published at the 19th of February 2024.

###
##	Severity
###
The severity is critical with a CVSS score of 10 but several conditions 
must be met for successful exploitation.

Quote from [1]:
To exploit this behavior the following additional conditions must be met:

     A placeholder for a numeric value must be immediately preceded by a 
minus (i.e. -)
     There must be a second placeholder for a string value after the 
first placeholder on the same line.
     Both parameters must be user controlled.

###
##	Example from [1]
###
PreparedStatement stmt = conn.prepareStatement("SELECT -?, ?");
stmt.setInt(1, -1);
stmt.setString(2, "\nWHERE false --");
ResultSet rs = stmt.executeQuery();

The resulting SQL when operating in simple query mode would be:

SELECT --1,'
WHERE false --'

and the result after the fix applied:

SELECT -('-1'::int4), ('
WHERE false --')

###
##	Affected products and versions
###
pgJDBC [1]

     All versions prior to 42.7.2
     All versions prior to 42.6.1
     All versions prior to 42.5.5
     All versions prior to 42.4.4
     All versions prior to 42.3.9
     All versions prior to 42.2.28
     All versions prior to 42.2.28.jre7

EnterpriseDB pgJDBC [2]

     All versions prior to 42.5.4.2

and likely other products which bundle the above products like Atlassian 
Bamboo Data Center and Server [3] or IBM Maximo Application Suite[4].

###
##	Credit
###
Paul Gerste [5] has been credited as the reporter of the vulnerability [1].


References:
[1] https://github.com/advisories/GHSA-24rp-q3w6-vc56
[2] https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/
[3] https://jira.atlassian.com/browse/BAM-25716
[4] 
https://www.ibm.com/support/pages/security-bulletin-ibm-maximo-application-suite-uses-postgresql-4238jar-which-vulnerable-cve-2024-1597
[5] https://github.com/paul-gerste-sonarsource

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.