Bug 2266523 (CVE-2024-1597)

Summary: CVE-2024-1597 pgjdbc: PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adupliak, aileenc, anstephe, asoldano, avibelli, bbaranow, bbuckingham, bcourt, bgeorges, bmaxwell, boliveir, brian.stansberry, btarraso, cdewolf, chazlett, clement.escoffier, cmiranda, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, dpalmer, drichtar, dsimansk, ecerquei, ehelms, eric.wittmann, fjuma, fmariani, fmongiar, gmalinko, gsmet, ibek, ivassile, iweiss, janstey, jmartisk, jnethert, jpoth, jrokos, jsherril, kingland, kverlaen, lgao, lthon, lzap, matzew, max.andersen, mhulan, michal.skrivanek, mnovotny, mosmerov, mperina, msochure, mstefank, msvehla, mulliken, nmoumoul, nwallace, olubyans, orabin, pantinor, pcongius, pcreech, pdelbell, pdrozd, peholase, pgallagh, pierdipi, pjindal, pmackay, porcelli, probinso, pskopek, rchan, rguimara, rhuss, rowaters, rruss, rstancel, rsvoboda, saroy, sausingh, sbiarozk, sdouglas, skontopo, smaestri, sthorger, tcunning, tom.jenkinson, tqvarnst, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: PostgreSQL JDBC Driver 42.7.2, PostgreSQL JDBC Driver 42.6.1,PostgreSQL JDBC Driver 42.5.5, PostgreSQL JDBC Driver 42.4.4, PostgreSQL JDBC Driver 42.3.9, PostgreSQL JDBC Driver 42.2.28, PostgreSQL JDBC Driver 42.2.28.jre7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the PostgreSQL JDBC Driver. A SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2266524, 2266525, 2270746    
Bug Blocks: 2266526    

Description Avinash Hanwate 2024-02-28 04:38:15 UTC
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.8 are affected.

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/
https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/

Comment 1 Avinash Hanwate 2024-02-28 04:40:28 UTC
Created postgresql-jdbc tracking bugs for this issue:

Affects: fedora-all [bug 2266524]

Comment 7 errata-xmlrpc 2024-03-20 08:21:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1435 https://access.redhat.com/errata/RHSA-2024:1435

Comment 8 errata-xmlrpc 2024-03-20 09:25:32 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:1436 https://access.redhat.com/errata/RHSA-2024:1436

Comment 14 errata-xmlrpc 2024-04-02 20:50:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1649 https://access.redhat.com/errata/RHSA-2024:1649

Comment 15 errata-xmlrpc 2024-04-03 10:53:26 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 3.2.11

Via RHSA-2024:1662 https://access.redhat.com/errata/RHSA-2024:1662

Comment 16 errata-xmlrpc 2024-04-04 21:33:10 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2024:1686 https://access.redhat.com/errata/RHSA-2024:1686

Comment 17 errata-xmlrpc 2024-04-22 10:59:35 UTC
This issue has been addressed in the following products:

  Red Hat build of Quarkus 2.13.9.SP2

Via RHSA-2024:1797 https://access.redhat.com/errata/RHSA-2024:1797

Comment 18 errata-xmlrpc 2024-04-23 14:25:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1999 https://access.redhat.com/errata/RHSA-2024:1999

Comment 19 errata-xmlrpc 2024-04-30 16:55:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:2624 https://access.redhat.com/errata/RHSA-2024:2624