Skip site navigation (1) Skip section navigation (2)

Re: [oss-security] CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters

From: Kurt Seifried <kseifried(at)redhat(dot)com>
To: Tom Lane <tgl(at)redhat(dot)com>
Cc: oss-security(at)lists(dot)openwall(dot)com, Jan Lieskovsky <jlieskov(at)redhat(dot)com>, "Steven M(dot) Christey" <coley(at)linus(dot)mitre(dot)org>, pgsql-jdbc(at)postgresql(dot)org, Steffen Dettmer <steffen(at)dett(dot)de>
Subject: Re: [oss-security] CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters
Date: 2012-04-04 19:49:26
Message-ID: 4F7CA5C6.3010207@redhat.com (view raw or flat)
Thread:
Lists: pgsql-jdbc
On 04/04/2012 01:47 PM, Tom Lane wrote:
> Kurt Seifried <kseifried(at)redhat(dot)com> writes:
>> So I think it's safe to say that we can (and should) assign CVE's
>> based on the unintended interactions of products (assigning a CVE
>> helps ensure that people are more likely to find out, security
>> scanners all love to pick up on CVE's, etc.). I'm going to assign a
>> CVE for this and suggest a description of (stolen directly from the
>> first bug report
>> (http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html):
> 
>> "When using PostgreSQL JDBC driver version 8.1 to connect to a
>> PostgreSQL version 9.1 database, escaping of JDBC statement parameters
>> does not work and SQL injection attacks are possible. It should be
>> noted that the PostgreSQL JDBC driver version 8.1 is officially
>> obsolete and should not be used."
> 
>> Please use CVE-2012-1618 for this issue.
> 
> Well, if you want to have a CVE for this, you should use a more
> complete description.  The actual scenario is that pre-8.2 versions
> of the JDBC driver do not know about the "standard_conforming_strings"
> option of more recent Postgres servers, and are insecure with *any*
> Postgres server in which that option is turned on, which has been
> possible since server version 8.2.  What changed in the 9.1 server
> is that that option is now on by default.  It's still possible
> (and will remain so for the foreseeable future) to turn the option off
> in the server configuration, making this and other ancient clients
> secure again.  But that isn't the default anymore.
> 
> 			regards, tom lane

Ahh perfect, thanks for the extra details!

-- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

In response to

pgsql-jdbc by date

Next:From: Bernd HelmleDate: 2012-04-05 08:54:38
Subject: prepareTreshold=0 vs. transaction control commands
Previous:From: Tom LaneDate: 2012-04-04 19:47:52
Subject: Re: [oss-security] CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group