CVE Vulnerabilities

CVE-2022-21724

Improper Initialization

Published: Feb 02, 2022 | Modified: Nov 07, 2023
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
7 MODERATE
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

Weakness

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

Affected Software

Name Vendor Start Version End Version
Postgresql_jdbc_driver Postgresql * 42.2.25 (excluding)
Postgresql_jdbc_driver Postgresql 42.3.0 (including) 42.3.2 (excluding)
Postgresql_jdbc_driver Postgresql 42.3.2-rc1 (including) 42.3.2-rc1 (including)
Libpgjava Ubuntu bionic *
Libpgjava Ubuntu impish *
Libpgjava Ubuntu kinetic *
Libpgjava Ubuntu trusty *
Libpgjava Ubuntu upstream *
Libpgjava Ubuntu xenial *
Red Hat build of Quarkus 2.7.5 RedHat postgresql *
Red Hat Fuse 7.11 RedHat jdbc-postgresql *
RHINT Service Registry 2.3.0 GA RedHat quarkus-jdbc-postgresql-deployment *
RHPAM 7.13.1 async RedHat jdbc-postgresql *

Potential Mitigations

  • Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, in Java, if the programmer does not explicitly initialize a variable, then the code could produce a compile-time error (if the variable is local) or automatically initialize the variable to the default value for the variable’s type. In Perl, if explicit initialization is not performed, then a default value of undef is assigned, which is interpreted as 0, false, or an equivalent value depending on the context in which the variable is accessed.

References