In late 2021, researchers discovered a dangerous security hole in pgjdbc—the official JDBC (Java Database Connectivity) driver used for connecting Java applications to PostgreSQL databases. This vulnerability, assigned CVE-2022-21724, lets attackers gain remote code execution if they can control certain connection properties or the JDBC URL. Systems using pgjdbc are at risk and should update immediately.
Let’s break down how this security issue works, why it's dangerous, and how you can protect your applications.
What Is CVE-2022-21724?
At its core, CVE-2022-21724 is a code execution vulnerability. It occurs because the pgjdbc driver does not verify that plugin classes provided via connection properties implement the right Java interface before trying to use them. This means a hacker could trick the driver into loading *any* class on the classpath—potentially running malicious code.
Affected Connection Properties
pgjdbc lets users configure plugins and callbacks by passing class names in the following connection properties:
sslpasswordcallback
If an attacker can supply values for these properties—directly through code, or by influencing a JDBC URL—they can point to arbitrary classes.
Let’s look at a simplified view of the vulnerable code, adapted for clarity
// Vulnerable code (simplified)
String className = properties.getProperty("socketFactory");
if (className != null) {
Class<?> clazz = Class.forName(className, true, getClass().getClassLoader());
Object instance = clazz.getDeclaredConstructor().newInstance();
// Use 'instance' as a SocketFactory, but does not check its type!
}
Here, the driver assumes the supplied class implements the correct interface, but it does *not* check for this. A malicious actor could pass the name of a different class, which runs their code during instantiation.
Imagine this JDBC URL
jdbc:postgresql://localhost:5432/mydb?socketFactory=bad.actor.MaliciousClass
If bad.actor.MaliciousClass is present on the classpath (maybe thanks to a dependency injection attack or a poorly configured server), its static initializers or constructor could be used to execute code—giving the attacker control over your server.
Here’s a simple malicious class an attacker might use
package bad.actor;
public class MaliciousClass {
static {
// This code runs when the class is loaded
try {
Runtime.getRuntime().exec("touch /tmp/pgjdbc_hacked");
} catch (Exception e) {
e.printStackTrace();
}
}
public MaliciousClass() {
// Constructor (could also execute code here)
System.out.println("MaliciousClass instantiated!");
}
}
If the server executes a JDBC connection using a URL with
?sslfactory=bad.actor.MaliciousClass
...and this class is anywhere on the classpath, the command in the static block runs, proving arbitrary code execution is possible.
Real-World Impact
Who is at risk?
- Java applications using the pgjdbc driver and accepting untrusted JDBC URLs or connection properties.
- Systems where attackers can influence application configuration (through environment variables, properties files, or user input).
Potential damage:
Pivoting attacks on infrastructure.
There are no workarounds: No safe configuration can patch this short of upgrading.
Fix and Mitigation
The pgjdbc team fixed this in version 42.3.1. The patch ensures the driver now checks if the supplied class implements the correct interface before instantiating it, blocking this attack.
Upgrade org.postgresql:postgresql to version 42.3.1 or above.
- Never let users (or attackers) control JDBC URLs or connection properties in a production environment.
- Audit your code and configuration for unsafe usage of sslfactory, socketFactory, and similar properties.
References and More Reading
- Official Advisory from PostgreSQL
- pgjdbc GitHub Issue and Fix
- NVD CVE Entry for CVE-2022-21724
Conclusion
CVE-2022-21724 is a severe vulnerability in PostgreSQL’s official JDBC driver that makes it easy for attackers to execute code if they can control connection properties or URLs. There is no workaround—only upgrading your driver will keep you safe. All teams and companies using PostgreSQL with Java should review their dependencies and update as soon as possible!
Know what your libraries do, keep them up-to-date, and never accept untrusted config inputs in your connection code. Stay safe!
Timeline
Published on: 02/02/2022 12:15:00 UTC
Last modified on: 08/01/2022 11:15:00 UTC