Bug 807394 - (CVE-2012-1618) CVE-2012-1618 postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters
CVE-2012-1618 postgresql-jdbc: SQL injection due improper escaping of JDBC st...
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20120325,repor...
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-27 12:43 EDT by Jan Lieskovsky
Modified: 2013-04-30 10:10 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-03-30 08:10:57 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2012-03-27 12:43:57 EDT
A SQL injection flaw was found in the way postgresql-jdbc, a JDBC driver for PostgreSQL database, performed escaping of certain JDBC statement parameters. A remote attacker could provide a JDBC statement with specially-crafted parameters, which once processed by the postgresql-jdbc driver would lead to SQL injection.

References:
[1] http://seclists.org/bugtraq/2012/Mar/125
[2] http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html
[3] https://bugzilla.novell.com/show_bug.cgi?id=754273
Comment 1 Jan Lieskovsky 2012-03-27 13:12:50 EDT
This issue affects the version of the postgresql-jdbc package, as shipped with Red Hat Enterprise Linux 5.

--

This issue did NOT affect the version of postgresql-jdbc package, as shipped with Red Hat Enterprise Linux 6.
Comment 4 Jan Lieskovsky 2012-03-27 13:27:27 EDT
This issue did NOT affect the versions of the postgresql-jdbc package, as
shipped with Fedora release of 15 and 16.
Comment 10 Jan Lieskovsky 2012-03-30 08:10:57 EDT
Statement:

The upstream development team of the JDBC driver for the PostgreSQL database does not consider improper escaping of certain JDBC statement / query parameters, when the JDBC driver of version older than the version of underlying PostgresSQL server is being used, to be a security defect. In general, the JDBC driver for the PostgreSQL database does not promise to work with server releases newer than the driver release. The Red Hat Security Response Team agrees with their assessment and so does not consider this to be a security flaw.
Comment 12 Tom Lane 2012-03-30 09:56:13 EDT
(In reply to comment #11)
> Further links:
> [6] http://archives.postgresql.org/pgsql-committers/2010-07/msg00210.php

The server-side release note warning foreseen there is the first compatibility item in the 9.1 release notes:
http://www.postgresql.org/docs/9.1/static/release-9-1.html
Comment 13 Kurt Seifried 2012-04-04 15:41:30 EDT
Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/04/04/9

First off: I agree this is not an issue in PostgreSQL upstream. This
issue only occurs with an ancient unsupported and obsolete version of
the JDBC driver when being used with a newer version of PostgreSQL.

However having stated that there is a security boundary violation
going on. Just because a software component is out of date or not
supported doesn't mean security bugs shouldn't at least be
acknowledged (software tends to live past its designed lifetime). Add
to this the fact that someone actually reported it we can state with
some certainty that it affected at least one person, ergo there is a
reasonable chance it may affect others.

So I checked the CVE database, we have 64 instances of "when used
with", some reasonable examples:

CVE-2009-4040,Candidate,"Cross-site scripting (XSS) vulnerability in
phpMyFAQ before 2.0.17 and 2.5.x before 2.5.2, when used with Internet
Explorer 6 or 7, allows remote attackers to inject arbitrary web
script or HTML via unspecified parameters to the search
page.","CONFIRM:http://www.phpmyfaq.de/advisory_2009-09-01.php

CVE-2008-2705,Candidate,"Unspecified vulnerability in Sun Java System
Access Manager (AM) 7.1, when used with certain versions and
configurations of Sun Directory Server Enterprise Edition (DSEE),
allows remote attackers to bypass authentication via unspecified
vectors.","SUNALERT:238416

So I think it's safe to say that we can (and should) assign CVE's
based on the unintended interactions of products (assigning a CVE
helps ensure that people are more likely to find out, security
scanners all love to pick up on CVE's, etc.). I'm going to assign a
CVE for this and suggest a description of (stolen directly from the
first bug report
(http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html):

"When using PostgreSQL JDBC driver version 8.1 to connect to a
PostgreSQL version 9.1 database, escaping of JDBC statement parameters
does not work and SQL injection attacks are possible. It should be
noted that the PostgreSQL JDBC driver version 8.1 is officially
obsolete and should not be used."

Please use CVE-2012-1618 for this issue.

Note You need to log in before you can comment on or make changes to this bug.