Bug 1195561 - (CVE-2022-21724) VUL-0: CVE-2022-21724: postgresql-jdbc: unchecked class instantiation when loading plugins based on class names
(CVE-2022-21724)
VUL-0: CVE-2022-21724: postgresql-jdbc: unchecked class instantiation when lo...
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/322402/
CVSSv3.1:SUSE:CVE-2022-21724:5.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-02-04 14:49 UTC by Carlos López
Modified: 2022-06-21 10:20 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-02-04 14:49:39 UTC
CVE-2022-21724

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the
jdbc driver for postgresql database while doing security research. The system
using the postgresql library will be attacked when attacker control the jdbc url
or properties. pgjdbc instantiates plugin instances based on class names
provided via `authenticationPluginClassName`, `sslhostnameverifier`,
`socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties.
However, the driver did not verify if the class implements the expected
interface before instantiating the class. This can lead to remote code execution
loaded via arbitrary classes. Users using plugins are advised to upgrade. There
are no known workarounds for this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-21724
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4
https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21724
Comment 1 Carlos López 2022-02-04 14:51:16 UTC
Affected:
 - SUSE:SLE-15-SP2:Update:Products:Manager41:Update
 - SUSE:SLE-15-SP3:Update
 - openSUSE:Factory
Comment 2 Artem Shiliaev 2022-02-24 13:57:41 UTC
https://github.com/SUSE/spacewalk/issues/16938
Comment 3 Alexander Bergmann 2022-04-06 13:33:42 UTC
Any progress here?
Comment 6 Michael Calmer 2022-04-13 08:38:05 UTC
A MU for postgresql-jdbc with version switch to 4.2.25 is already in Maintenance for SLE-15-SP3:Update.

Reading https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 it say:

Patched versions: 42.2.25, 42.3.2

This means with this update we should be ok.
The CVE and bug is not in the changelog as this issue was unknown and also the upstream changelog of this version was missing it.

See https://smelt.suse.de/incident/23479/

Re-assign to security team for tracking
Comment 14 Swamp Workflow Management 2022-06-21 10:16:56 UTC
SUSE-SU-2022:2145-1: An update that solves 5 vulnerabilities, contains two features and has 33 fixes is now available.

Category: security (important)
Bug References: 1173527,1182742,1189501,1190535,1191143,1192850,1193032,1193238,1193707,1194262,1194447,1194594,1194909,1195561,1196067,1196338,1196407,1196702,1196704,1197356,1197429,1197438,1197488,1198221,1198356,1198686,1198914,1199036,1199142,1199149,1199512,1199528,1199577,1199629,1199677,1199888,1200212,1200606
CVE References: CVE-2022-21698,CVE-2022-21724,CVE-2022-21952,CVE-2022-26520,CVE-2022-31248
JIRA References: SLE-24238,SLE-24239
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    golang-github-QubitProducts-exporter_exporter-0.4.0-150200.6.12.2, golang-github-lusitaniae-apache_exporter-0.7.0-150200.2.6.2, golang-github-prometheus-node_exporter-1.3.0-150200.3.9.3, patterns-suse-manager-4.1-150200.6.12.2, postgresql-jdbc-42.2.10-150200.3.8.2, prometheus-exporters-formula-0.9.5-150200.3.31.2, prometheus-formula-0.3.7-150200.3.21.2, py27-compat-salt-3000.3-150200.6.24.2, spacecmd-4.1.18-150200.4.39.3, spacewalk-backend-4.1.31-150200.4.50.4, spacewalk-java-4.1.46-150200.3.71.5, spacewalk-setup-4.1.11-150200.3.18.2, spacewalk-utils-4.1.20-150200.3.30.2, spacewalk-web-4.1.34-150200.3.47.6, subscription-matcher-0.28-150200.3.15.2, susemanager-4.1.36-150200.3.52.1, susemanager-doc-indexes-4.1-150200.11.55.4, susemanager-docs_en-4.1-150200.11.55.2, susemanager-schema-4.1.26-150200.3.45.4, susemanager-sls-4.1.36-150200.3.64.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-06-21 10:20:08 UTC
SUSE-SU-2022:2143-1: An update that solves four vulnerabilities and has 28 fixes is now available.

Category: security (moderate)
Bug References: 1182742,1189501,1190535,1192850,1193032,1193238,1193707,1194262,1194447,1194594,1194909,1195561,1196338,1196407,1196702,1196704,1197356,1197429,1197438,1197488,1198221,1198356,1198686,1198914,1199036,1199142,1199149,1199512,1199528,1199629,1199677,1199888
CVE References: CVE-2022-21724,CVE-2022-21952,CVE-2022-26520,CVE-2022-31248
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    release-notes-susemanager-4.1.15-150200.3.80.1
SUSE Manager Retail Branch Server 4.1 (src):    release-notes-susemanager-proxy-4.1.15-150200.3.56.1
SUSE Manager Proxy 4.1 (src):    release-notes-susemanager-proxy-4.1.15-150200.3.56.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.