Bug 1197356 - (CVE-2022-26520) VUL-0: CVE-2022-26520: postgresql-jdbc: Arbitrary File Write Vulnerability
(CVE-2022-26520)
VUL-0: CVE-2022-26520: postgresql-jdbc: Arbitrary File Write Vulnerability
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/325793/
CVSSv3.1:SUSE:CVE-2022-26520:6.3:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-03-21 16:13 UTC by Gabriele Sonnu
Modified: 2022-08-03 19:16 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Gabriele Sonnu 2022-03-21 16:13:00 UTC
In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3
https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc
https://jdbc.postgresql.org/documentation/head/tomcat.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2064007
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26520
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26520
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc
https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3
https://jdbc.postgresql.org/documentation/head/tomcat.html
Comment 1 Gabriele Sonnu 2022-03-21 16:18:19 UTC
Upstream disputed the issue and don't consider this a real security vulnerability (excerpt from [0]):

> The connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control.
>
> It's not the job of the pgjdbc driver to decide whether a given log file location is acceptable. End user applications that use the pgjdbc driver must ensure that filenames are valid and restrict unauthenticated attackers from being able to supply arbitrary values. That's not specific to the pgjdbc driver either, it would be true for any library that can write to the application's local file system.

In any case they decided to remove the loggerFile and loggerLevel connection properties in the driver as a mitigation [1].

[0] https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
[1] https://github.com/pgjdbc/pgjdbc/commit/f6d47034a4ce292e1a659fa00963f6f713117064
Comment 2 Gabriele Sonnu 2022-03-21 16:18:54 UTC
Tracking as affected:

 - SUSE:SLE-15-SP2:Update:Products:Manager41:Update/postgresql-jdbc  42.2.10
 - SUSE:SLE-15-SP3:Update/postgresql-jdbc                            42.2.16    
 - openSUSE:Factory/postgresql-jdbc                                  42.2.25
Comment 3 Gabriele Sonnu 2022-04-12 13:40:45 UTC
Also affected:

 - SUSE:SLE-15-SP4:Update/postgresql-jdbc 42.2.25
Comment 9 Michael Calmer 2022-06-13 11:28:48 UTC
AFAIK all submissions done.
Re-assign to security team for tracking.
Comment 10 Swamp Workflow Management 2022-06-21 10:17:27 UTC
SUSE-SU-2022:2145-1: An update that solves 5 vulnerabilities, contains two features and has 33 fixes is now available.

Category: security (important)
Bug References: 1173527,1182742,1189501,1190535,1191143,1192850,1193032,1193238,1193707,1194262,1194447,1194594,1194909,1195561,1196067,1196338,1196407,1196702,1196704,1197356,1197429,1197438,1197488,1198221,1198356,1198686,1198914,1199036,1199142,1199149,1199512,1199528,1199577,1199629,1199677,1199888,1200212,1200606
CVE References: CVE-2022-21698,CVE-2022-21724,CVE-2022-21952,CVE-2022-26520,CVE-2022-31248
JIRA References: SLE-24238,SLE-24239
Sources used:
SUSE Linux Enterprise Module for SUSE Manager Server 4.1 (src):    golang-github-QubitProducts-exporter_exporter-0.4.0-150200.6.12.2, golang-github-lusitaniae-apache_exporter-0.7.0-150200.2.6.2, golang-github-prometheus-node_exporter-1.3.0-150200.3.9.3, patterns-suse-manager-4.1-150200.6.12.2, postgresql-jdbc-42.2.10-150200.3.8.2, prometheus-exporters-formula-0.9.5-150200.3.31.2, prometheus-formula-0.3.7-150200.3.21.2, py27-compat-salt-3000.3-150200.6.24.2, spacecmd-4.1.18-150200.4.39.3, spacewalk-backend-4.1.31-150200.4.50.4, spacewalk-java-4.1.46-150200.3.71.5, spacewalk-setup-4.1.11-150200.3.18.2, spacewalk-utils-4.1.20-150200.3.30.2, spacewalk-web-4.1.34-150200.3.47.6, subscription-matcher-0.28-150200.3.15.2, susemanager-4.1.36-150200.3.52.1, susemanager-doc-indexes-4.1-150200.11.55.4, susemanager-docs_en-4.1-150200.11.55.2, susemanager-schema-4.1.26-150200.3.45.4, susemanager-sls-4.1.36-150200.3.64.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-06-21 10:20:30 UTC
SUSE-SU-2022:2143-1: An update that solves four vulnerabilities and has 28 fixes is now available.

Category: security (moderate)
Bug References: 1182742,1189501,1190535,1192850,1193032,1193238,1193707,1194262,1194447,1194594,1194909,1195561,1196338,1196407,1196702,1196704,1197356,1197429,1197438,1197488,1198221,1198356,1198686,1198914,1199036,1199142,1199149,1199512,1199528,1199629,1199677,1199888
CVE References: CVE-2022-21724,CVE-2022-21952,CVE-2022-26520,CVE-2022-31248
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    release-notes-susemanager-4.1.15-150200.3.80.1
SUSE Manager Retail Branch Server 4.1 (src):    release-notes-susemanager-proxy-4.1.15-150200.3.56.1
SUSE Manager Proxy 4.1 (src):    release-notes-susemanager-proxy-4.1.15-150200.3.56.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-08-03 19:16:16 UTC
SUSE-SU-2022:2655-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1197356
CVE References: CVE-2022-26520
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    postgresql-jdbc-42.2.25-150400.3.3.2
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    postgresql-jdbc-42.2.25-150400.3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.