Bug 2050863 (CVE-2022-21724)

Summary: CVE-2022-21724 jdbc-postgresql: Unchecked Class Instantiation when providing Plugin Classes
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, anstephe, avibelli, bgeorges, bibryam, caolanm, caswilli, chazlett, clement.escoffier, dandread, databases-maint, dkreling, drieden, emingora, eric.wittmann, etirelli, fjanus, ggastald, gmalinko, gsmet, hamadhan, hbraun, hhorak, ibek, janstey, jjanco, jnethert, jochrist, jrokos, jstastny, jwon, kaycoth, krathod, kverlaen, lthon, mkulik, mnovotny, mszynkie, odubaj, pantinor, pdelbell, peholase, pgallagh, pjindal, pkubat, praiskup, probinso, rguimara, rrajasek, rruss, rsvoboda, saroy, sbiarozk, sdouglas, tgl, tzimanyi, zmiklank
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: postgresql 42.2.25, postgresql 42.3.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-18 14:35:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2050864, 2061280, 2061281, 2061282, 2096295    
Bug Blocks: 2050865    

Description Guilherme de Almeida Suckevicz 2022-02-04 19:40:12 UTC 
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to remote code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

Reference:
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4

Upstream patch:
https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813
Comment 1 Guilherme de Almeida Suckevicz 2022-02-04 19:40:31 UTC 
Created postgresql-jdbc tracking bugs for this issue:

Affects: fedora-all [bug 2050864]
Comment 15 errata-xmlrpc 2022-05-18 10:56:38 UTC 
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.7.5

Via RHSA-2022:4623 https://access.redhat.com/errata/RHSA-2022:4623
Comment 16 Product Security DevOps Team 2022-05-18 14:35:27 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-21724
Comment 23 errata-xmlrpc 2022-07-07 14:22:24 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.11

Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532
Comment 24 errata-xmlrpc 2022-10-05 10:45:29 UTC 
This issue has been addressed in the following products:

  RHPAM 7.13.1 async

Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813
Comment 25 errata-xmlrpc 2022-10-06 12:27:58 UTC 
This issue has been addressed in the following products:

  RHINT Service Registry 2.3.0 GA

Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835