The PostgreSQL JDBC Driver (PgJDBC) in AlmaLinux 9 is vulnerable to SQL injection via the `java.sql.ResultRow.refreshRow()` method
Reporter | Title | Published | Views | Family All 76 |
---|---|---|---|---|
SUSE Linux | Security update for postgresql-jdbc (important) | 18 Oct 202200:00 | – | suse |
SUSE Linux | Security update for postgresql-jdbc (important) | 6 Oct 202200:00 | – | suse |
Oracle linux | postgresql-jdbc security update | 24 Jan 202300:00 | – | oraclelinux |
Debian | [SECURITY] [DLA 3140-1] libpgjava security update | 8 Oct 202201:00 | – | debian |
Debian | [SECURITY] [DLA 3995-1] libpgjava security update | 16 Dec 202409:08 | – | debian |
Tenable Nessus | Fedora 35 : postgresql-jdbc (2022-cdeabe1bc0) | 23 Dec 202200:00 | – | nessus |
Tenable Nessus | Oracle Linux 9 : postgresql-jdbc (ELSA-2023-0318) | 24 Jan 202300:00 | – | nessus |
Tenable Nessus | SUSE SLES15 Security Update : postgresql-jdbc (SUSE-SU-2022:3613-1) | 19 Oct 202200:00 | – | nessus |
Tenable Nessus | Debian DLA-3140-1 : libpgjava - LTS security update | 8 Oct 202200:00 | – | nessus |
Tenable Nessus | RHEL 9 : postgresql-jdbc (RHSA-2023:0318) | 23 Jan 202300:00 | – | nessus |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# AlmaLinux Security Advisory ALSA-2023:0318.
##
include('compat.inc');
if (description)
{
script_id(170571);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/06");
script_cve_id("CVE-2022-31197");
script_xref(name:"ALSA", value:"2023:0318");
script_name(english:"AlmaLinux 9 : postgresql-jdbc (ALSA-2023:0318)");
script_set_attribute(attribute:"synopsis", value:
"The remote AlmaLinux host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The remote AlmaLinux 9 host has a package installed that is affected by a vulnerability as referenced in the
ALSA-2023:0318 advisory.
- PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using
standard, database independent Java code. The PGJDBC implementation of the
`java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column
name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to
executing additional SQL commands as the application's JDBC user. User applications that do not invoke the
`ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted
if the underlying database that they are querying via their JDBC application may be under the control of
an attacker. The attack requires the attacker to trick the user into executing SQL against a table name
who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on
the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC
application that executes as a privileged user querying database schemas owned by potentially malicious
less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to
craft a schema that causes the application to execute commands as the privileged user. Patched versions
will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds
for this issue. (CVE-2022-31197)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://errata.almalinux.org/9/ALSA-2023-0318.html");
script_set_attribute(attribute:"solution", value:
"Update the affected postgresql-jdbc package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-31197");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(89);
script_set_attribute(attribute:"vuln_publication_date", value:"2022/08/03");
script_set_attribute(attribute:"patch_publication_date", value:"2023/01/23");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/25");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:postgresql-jdbc");
script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9");
script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:9::appstream");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Alma Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AlmaLinux/release", "Host/AlmaLinux/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/AlmaLinux/release');
if (isnull(os_release) || 'AlmaLinux' >!< os_release) audit(AUDIT_OS_NOT, 'AlmaLinux');
var os_ver = pregmatch(pattern: "AlmaLinux release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');
os_ver = os_ver[1];
if (! preg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'AlmaLinux 9.x', 'AlmaLinux ' + os_ver);
if (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);
var pkgs = [
{'reference':'postgresql-jdbc-42.2.18-6.el9_1', 'release':'9', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'Alma-' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'postgresql-jdbc');
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo