CVE-2022-21724 PostgreSQL JDBC Driver has a security hole, which can be used to attack the system that uses it.

Try to remove the insecure jdbc urls from the system. The plugin instances can be controlled via the `authenticationPluginClassName` and `sslhostnameverifier` connection properties. End users can protect themselves from this issue by using a PGP key with their PostgreSQL connection. End users can protect their systems from this issue by using a PGP key with their PostgreSQL connection.

CVE-2017-12624

There are two ways to control the plugin instances. The easiest way is to use the `authenticationPluginClassName` and `sslhostnameverifier` connection properties.
If you want more control, you can use the following system properties:
1) `-Djdbc.user=someuser`

Credit

Card Data Exposure
A vulnerability in the PostgreSQL database which could allow a malicious attacker to access credit card data from a website is being investigated. The vulnerability was discovered by Gartner during an audit of the application.

CVE-2022-21725

Add the required SSLHostnameVerifier to the PostgreSQL configuration. The SSLHostnameVerifier acts as an SSL hostname verifier and is required for all SSL enabled JDBC connections.

CVE-2023-21725

The following changes were made to address CVE-2022-21724:
* The code for the `AuthenticationPluginClassName` and `sslhostnameverifier` connection properties was removed from the jdbc driver class.
* The code for the `caCertPath` connection property was modified to allow for CA certificates to be loaded from a file rather than an in-memory database.
* End users can protect themselves from this issue by using a PGP key with their PostgreSQL connection. End users can protect their systems from this issue by using a PGP key with their PostgreSQL connection.

Vulnerability details

A vulnerability in the PostgreSQL database management system that can be exploited by an attacker to gain access to applications which use PostgreSQL.
A vulnerability in the PostgreSQL database management system that can be exploited by an attacker to gain access to applications which use PostgreSQL. The vulnerability is triggered when the attacker submits a specially crafted SQL query that causes a heap overflow in the jdbc driver of the JDBC connection pool implementation. An attacker can exploit this vulnerability by submitting a specially crafted SQL query, they will then execute arbitrary code within the context of the application server or database server process.

Timeline

Published on: 02/02/2022 12:15:00 UTC
Last modified on: 08/01/2022 11:15:00 UTC

References

• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4
• https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813
• https://security.netapp.com/advisory/ntap-20220311-0005/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/
• https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html
• https://www.debian.org/security/2022/dsa-5196
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21724