Try to remove the insecure jdbc urls from the system. The plugin instances can be controlled via the `authenticationPluginClassName` and `sslhostnameverifier` connection properties. End users can protect themselves from this issue by using a PGP key with their PostgreSQL connection. End users can protect their systems from this issue by using a PGP key with their PostgreSQL connection.
CVE-2017-12624
There are two ways to control the plugin instances. The easiest way is to use the `authenticationPluginClassName` and `sslhostnameverifier` connection properties.
If you want more control, you can use the following system properties:
1) `-Djdbc.user=someuser`
Credit
Card Data Exposure
A vulnerability in the PostgreSQL database which could allow a malicious attacker to access credit card data from a website is being investigated. The vulnerability was discovered by Gartner during an audit of the application.
CVE-2022-21725
Add the required SSLHostnameVerifier to the PostgreSQL configuration. The SSLHostnameVerifier acts as an SSL hostname verifier and is required for all SSL enabled JDBC connections.
CVE-2023-21725
The following changes were made to address CVE-2022-21724:
* The code for the `AuthenticationPluginClassName` and `sslhostnameverifier` connection properties was removed from the jdbc driver class.
* The code for the `caCertPath` connection property was modified to allow for CA certificates to be loaded from a file rather than an in-memory database.
* End users can protect themselves from this issue by using a PGP key with their PostgreSQL connection. End users can protect their systems from this issue by using a PGP key with their PostgreSQL connection.
Vulnerability details
A vulnerability in the PostgreSQL database management system that can be exploited by an attacker to gain access to applications which use PostgreSQL.
A vulnerability in the PostgreSQL database management system that can be exploited by an attacker to gain access to applications which use PostgreSQL. The vulnerability is triggered when the attacker submits a specially crafted SQL query that causes a heap overflow in the jdbc driver of the JDBC connection pool implementation. An attacker can exploit this vulnerability by submitting a specially crafted SQL query, they will then execute arbitrary code within the context of the application server or database server process.
Timeline
Published on: 02/02/2022 12:15:00 UTC
Last modified on: 08/01/2022 11:15:00 UTC
References
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4
- https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813
- https://security.netapp.com/advisory/ntap-20220311-0005/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/
- https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html
- https://www.debian.org/security/2022/dsa-5196
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21724