Обсуждение: CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters
Hello Kurt, Steve, vendors, originally, the following deficiency has been reported by Steffen Dettmer: [1] http://seclists.org/bugtraq/2012/Mar/125 A SQL injection flaw was found in the way postgresql-jdbc, a JDBC driver for PostgreSQL database, performed escaping of certain JDBC statement parameters. A remote attacker could provide a JDBC statement with specially-crafted parameters, which once processed by the postgresql-jdbc driver would lead to SQL injection. References: [2] http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html [3] https://bugzilla.novell.com/show_bug.cgi?id=754273 [4] https://bugzilla.redhat.com/show_bug.cgi?id=807394 Upon further issue investigation and discussion with Tom Lane of PostgreSQL upstream and JDBC driver upstream the following conclusion has been provided: The upstream development team of the JDBC driver for the PostgreSQL database does not consider improper escaping of certain JDBC statement / query parameters, when the JDBC driver of version older than the version of underlying PostgresSQL server is being used, to be a security defect. In general, the JDBC driver for the PostgreSQL database does not promise to work with server releases newer than the driver release. This is NOT an official JDBC driver for PostgreSQL database development team statement yet (in the sense it would reference some upstream document / web page). Anyway, we have got preliminary notification there is a upstream intention to provide such page (document which postgresql-jdbc versions are expected to work correctly with which versions of PostgreSQL database server). Till this is done, please take this post as a clarification of postgresql-jdbc's upstream intentions to dispute the possibly later allocated CVE identifier to this issue (posting this sooner yet one can be allocated to this though some vendors might still be interested in allocation). For now Red Hat Security Response Team decided to agree with the above upstream assessment / pursue the way to upstream conclusion. Though in the future if some further details would appear, forcing us to change this conclusion, we might revisit our decision. Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
What follows is just one perspective from a DBA at a production shop. Jan Lieskovsky <jlieskov@redhat.com> wrote: > This is NOT an official JDBC driver for PostgreSQL database > development team statement yet (in the sense it would reference > some upstream document / web page). > Anyway, we have got preliminary notification there is a upstream > intention to provide such page (document which postgresql-jdbc > versions are expected to work correctly with which versions of > PostgreSQL database server). Presumably you are aware of this section on the download page: http://jdbc.postgresql.org/download.html#current Which says: | This is the current version of the driver. Unless you have unusual | requirements (running old applications or JVMs), this is the | driver you should be using. It supports Postgresql 7.2 or newer | and requires a 1.4 or newer JVM. It contains support for SSL and | the javax.sql package. It comes in two flavors, JDBC3 and JDBC4. | If you are using the 1.6 or 1.7 JVM, then you should use the JDBC4 | version. | | JDBC3 Postgresql Driver, Version 9.1-901 | | JDBC4 Postgresql Driver, Version 9.1-901 And the section on supported versions of PostgreSQL: http://www.postgresql.org/support/versioning/ ... which shows version 8.1 as having reached end-of-life and gone out of support five years after release, in November, 2010. As far as I could tell from a quick skim of the referenced links, this problem only exists when using this out-of-support version of the JDBC driver. While I certainly can't speak for the PostgreSQL community, I can say that the shop at which I work (the Consolidated Courts Automation Program of the Wisconsin Supreme Court), we pay attention to these pages and never consider it safe to use an unsupported version. We upgrade our JDBC drivers as soon as practicable whenever the recommended version on the JDBC download page changes. Of course, this is assigned to be done with some application software release and the JDBC version rolls out through development, testing, and staging servers before it is deployed to production, as we do with the server product itself. It is frequently mentioned on the PostgreSQL support lists that it is not a good idea to use older drivers and client libraries with newer servers, although the opposite is supported. We respect this advice, and it seems reasonable to us. If that's not mentioned explicitly on an official web page, I agree that it should be. -Kevin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/30/2012 06:28 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > originally, the following deficiency has been reported by Steffen > Dettmer: [1] http://seclists.org/bugtraq/2012/Mar/125 > > A SQL injection flaw was found in the way postgresql-jdbc, a JDBC > driver for PostgreSQL database, performed escaping of certain JDBC > statement parameters. A remote attacker could provide a JDBC > statement with specially-crafted parameters, which once processed > by the postgresql-jdbc driver would lead to SQL injection. > > References: [2] > http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html > [3] https://bugzilla.novell.com/show_bug.cgi?id=754273 [4] > https://bugzilla.redhat.com/show_bug.cgi?id=807394 > > Upon further issue investigation and discussion with Tom Lane of > PostgreSQL upstream and JDBC driver upstream the following > conclusion has been provided: > > The upstream development team of the JDBC driver for the > PostgreSQL database does not consider improper escaping of certain > JDBC statement / query parameters, when the JDBC driver of version > older than the version of underlying PostgresSQL server is being > used, to be a security defect. In general, the JDBC driver for the > PostgreSQL database does not promise to work with server releases > newer than the driver release. Apologies for the delay, at first I agreed with the above, but then I checked and I think it's a bit more nuanced than that. First off: I agree this is not an issue in PostgreSQL upstream. This issue only occurs with an ancient unsupported and obsolete version of the JDBC driver when being used with a newer version of PostgreSQL. However having stated that there is a security boundary violation going on. Just because a software component is out of date or not supported doesn't mean security bugs shouldn't at least be acknowledged (software tends to live past its designed lifetime). Add to this the fact that someone actually reported it we can state with some certainty that it affected at least one person, ergo there is a reasonable chance it may affect others. So I checked the CVE database, we have 64 instances of "when used with", some reasonable examples: CVE-2009-4040,Candidate,"Cross-site scripting (XSS) vulnerability in phpMyFAQ before 2.0.17 and 2.5.x before 2.5.2, when used with Internet Explorer 6 or 7, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to the search page.","CONFIRM:http://www.phpmyfaq.de/advisory_2009-09-01.php CVE-2008-2705,Candidate,"Unspecified vulnerability in Sun Java System Access Manager (AM) 7.1, when used with certain versions and configurations of Sun Directory Server Enterprise Edition (DSEE), allows remote attackers to bypass authentication via unspecified vectors.","SUNALERT:238416 So I think it's safe to say that we can (and should) assign CVE's based on the unintended interactions of products (assigning a CVE helps ensure that people are more likely to find out, security scanners all love to pick up on CVE's, etc.). I'm going to assign a CVE for this and suggest a description of (stolen directly from the first bug report (http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html): "When using PostgreSQL JDBC driver version 8.1 to connect to a PostgreSQL version 9.1 database, escaping of JDBC statement parameters does not work and SQL injection attacks are possible. It should be noted that the PostgreSQL JDBC driver version 8.1 is officially obsolete and should not be used." Please use CVE-2012-1618 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPfKHoAAoJEBYNRVNeJnmT/u4QAI03PTYXs1ceSoMIZ1ORjj7x vFTKfdOaXercFFonIrVzf4e54gCObUJgse3rdz6ONh59FkqDSDW1WISYhLi+pMAj fLCng+vaB3ctiI6KurenKpy1fIWg9CsNTsx+9N2UG0JorMYp9hhih/9KRcwcvbLV TXl7psu7OhOKc6J2re1bjQO+gbyVPZxvkYfs1CvXvIh27FWWzoNFYLL34rRdZIwo fcfy5z7AWEehxpPRRBijllYVQambqdXu2m8PBRLn7pgy/dRPuDbn/yiKcC39+1EK jcaiFH7P1XtXXQouy13Ta3yhHsZiVDZmNyR+YKnRYQIY9ICjFNxR+rdBbSM0f2Eu JO1Sa9eewe7bsylIchIRoVtGuzvOlxv18Dujp6iD7pvIaLNJ9uuuabz9lX/9rm3p WX++VxYk+k+cGOGjttnlSfiS+TYnFjLgS6fM4AAp6oBPg13ndrKJL4m7qYNoJzjd S4JhOxn8VcgRFAo8otLzIRxWrsYYG8/xybr5/NESmC8hcr0mhYUIGyLx5qu0/QAR ri1QT3BPs7SoqGGaJHUZtqOK/vAkDHn1SdA/VopWcpk2XmP2rd0h0Mh+jkA3Pd6C SaL2HvwRq9a9T9rJozESHnPd8HqvDgaUdKADcYEV9xS+axZMHRPpHSppvt93GKao ClES06wUx2zOrWyNijbF =jlUp -----END PGP SIGNATURE-----
Kurt Seifried <kseifried@redhat.com> writes: > So I think it's safe to say that we can (and should) assign CVE's > based on the unintended interactions of products (assigning a CVE > helps ensure that people are more likely to find out, security > scanners all love to pick up on CVE's, etc.). I'm going to assign a > CVE for this and suggest a description of (stolen directly from the > first bug report > (http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html): > "When using PostgreSQL JDBC driver version 8.1 to connect to a > PostgreSQL version 9.1 database, escaping of JDBC statement parameters > does not work and SQL injection attacks are possible. It should be > noted that the PostgreSQL JDBC driver version 8.1 is officially > obsolete and should not be used." > Please use CVE-2012-1618 for this issue. Well, if you want to have a CVE for this, you should use a more complete description. The actual scenario is that pre-8.2 versions of the JDBC driver do not know about the "standard_conforming_strings" option of more recent Postgres servers, and are insecure with *any* Postgres server in which that option is turned on, which has been possible since server version 8.2. What changed in the 9.1 server is that that option is now on by default. It's still possible (and will remain so for the foreseeable future) to turn the option off in the server configuration, making this and other ancient clients secure again. But that isn't the default anymore. regards, tom lane
On 04/04/2012 01:47 PM, Tom Lane wrote: > Kurt Seifried <kseifried@redhat.com> writes: >> So I think it's safe to say that we can (and should) assign CVE's >> based on the unintended interactions of products (assigning a CVE >> helps ensure that people are more likely to find out, security >> scanners all love to pick up on CVE's, etc.). I'm going to assign a >> CVE for this and suggest a description of (stolen directly from the >> first bug report >> (http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html): > >> "When using PostgreSQL JDBC driver version 8.1 to connect to a >> PostgreSQL version 9.1 database, escaping of JDBC statement parameters >> does not work and SQL injection attacks are possible. It should be >> noted that the PostgreSQL JDBC driver version 8.1 is officially >> obsolete and should not be used." > >> Please use CVE-2012-1618 for this issue. > > Well, if you want to have a CVE for this, you should use a more > complete description. The actual scenario is that pre-8.2 versions > of the JDBC driver do not know about the "standard_conforming_strings" > option of more recent Postgres servers, and are insecure with *any* > Postgres server in which that option is turned on, which has been > possible since server version 8.2. What changed in the 9.1 server > is that that option is now on by default. It's still possible > (and will remain so for the foreseeable future) to turn the option off > in the server configuration, making this and other ancient clients > secure again. But that isn't the default anymore. > > regards, tom lane Ahh perfect, thanks for the extra details! -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993