Bug 2372307 (CVE-2025-49146)

Summary: CVE-2025-49146 pgjdbc: pgjdbc insecure authentication in channel binding
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, anstephe, anthomas, aprice, aschwart, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, caswilli, ccranfor, cdewolf, clement.escoffier, cmah, cmiranda, dandread, darran.lofthouse, dbruscin, dhanak, dkreling, dnakabaa, dosoudil, drosa, eaguilar, ebaron, ehelms, eric.wittmann, fjuma, fmariani, ggainey, gmalinko, gsmet, ibek, istudens, ivassile, iweiss, janstey, jmartisk, joehler, jolong, jpechane, jpoth, jrokos, jsamir, juwatts, kaycoth, kgaikwad, kholdawa, kvanderr, kverlaen, lcouzens, lgao, lthon, manderse, mhulan, mnovotny, mosmerov, mposolda, mskarbek, msochure, msvehla, nipatil, nmoumoul, nwallace, oezr, olubyans, osousa, pantinor, pbizzarr, pcongius, pcreech, pdelbell, pesilva, pgallagh, pjindal, pmackay, probinso, rchan, rguimara, rkieley, rkubis, rmartinc, rruss, rstancel, rstepani, rsvoboda, sausingh, sbiarozk, sdawley, smaestri, smallamp, ssilvert, sthirugn, sthorger, tcunning, tmalecek, tom.jenkinson, tqvarnst, vkrizan, vmuzikar, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves in the middle of a connection and intercept the connection.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-06-11 15:01:57 UTC 
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.
Comment 2 errata-xmlrpc 2025-06-25 19:47:47 UTC 
This issue has been addressed in the following products:

  Red Hat build of Apache Camel 4.10.3 for Spring Boot 3.4.7

Via RHSA-2025:9697 https://access.redhat.com/errata/RHSA-2025:9697
Comment 3 errata-xmlrpc 2025-07-03 12:46:25 UTC 
This issue has been addressed in the following products:

  Cryostat 4 on RHEL 9

Via RHSA-2025:10323 https://access.redhat.com/errata/RHSA-2025:10323
Comment 4 errata-xmlrpc 2025-08-06 16:17:46 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.13.1

Via RHSA-2025:13274 https://access.redhat.com/errata/RHSA-2025:13274
Comment 6 errata-xmlrpc 2025-09-22 23:39:41 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ Broker 7.12.5

Via RHSA-2025:16409 https://access.redhat.com/errata/RHSA-2025:16409