CVE-2022-26520
Arbitrary File Write vulnerability in postgresql (Maven)
What is CVE-2022-26520 About?
This vulnerability in pgjdbc before 42.3.3 allows an attacker to write to arbitrary files by manipulating `loggerFile` and `loggerLevel` connection properties through `java.util.logging.FileHandler`. This could lead to remote code execution or system compromise. Exploitation relies on an application using untrusted connection properties, making it moderately difficult to exploit.
Affected Software
Technical Details
In pgjdbc versions prior to 42.3.3, the JDBC driver's handling of connection properties, specifically loggerFile and loggerLevel, is vulnerable. An attacker, if able to control the JDBC URL or connection properties, can specify an arbitrary file path for loggerFile and a logging level for loggerLevel. The pgjdbc driver then uses java.util.logging.FileHandler to write log output to this attacker-controlled file path. By crafting the loggerFile to point to a sensitive location (e.g., a web server's document root with a .jsp extension) and potentially influencing the log content (e.g., through error messages), an attacker can write arbitrary content to an arbitrary file. This can result in malicious executable files being placed on the system, such as a JSP web shell under a Tomcat web root, leading to remote code execution.
What is the Impact of CVE-2022-26520?
Successful exploitation may allow attackers to write arbitrary files to the file system, leading to remote code execution, defacement, or complete system compromise.
What is the Exploitability of CVE-2022-26520?
Exploitation requires an attacker to control the JDBC URL or connection properties provided to an application using the vulnerable pgjdbc driver. The complexity is medium, as it requires knowledge of the target system's file paths and the ability to influence connection parameters. Authentication is typically required to provide connection properties, though the specific context varies by application. The attacker needs no specific privileges on the server initially, but the application using pgjdbc runs with its own privileges which the attacker can leverage. This can be a remote or local vulnerability depending on how connection properties are supplied. A special condition is that the application must use pgjdbc with untrusted connection properties. The risk factors that increase exploitation likelihood include applications that expose database connection configurations to user input or are deployed in a multi-tenant environment where one tenant could manipulate connection strings for other tenants.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-26520?
Available Upgrade Options
- org.postgresql:postgresql
- >42.1.0, <42.3.3 → Upgrade to 42.3.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.debian.org/security/2022/dsa-5196
- https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3
- https://jdbc.postgresql.org/documentation/head/tomcat.html
- https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
- https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3
- https://www.debian.org/security/2022/dsa-5196
- https://nvd.nist.gov/vuln/detail/CVE-2022-26520
- https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc
- https://github.com/pgjdbc/pgjdbc
What are Similar Vulnerabilities to CVE-2022-26520?
Similar Vulnerabilities: CVE-2021-4104 , CVE-2021-21300 , CVE-2020-13936 , CVE-2019-2729 , CVE-2017-1000382
