Quick Links

Re: CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters

From:	"Kevin Grittner" <Kevin(dot)Grittner(at)wicourts(dot)gov>
To:	"Steven M(dot) Christey" <coley(at)linus(dot)mitre(dot)org>
Cc:	"Steffen Dettmer" <steffen(at)dett(dot)de>, <oss-security(at)lists(dot)openwall(dot)com>,<pgsql-jdbc(at)postgresql(dot)org>, "Tom Lane" <tgl(at)redhat(dot)com>
Subject:	Re: CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters
Date:	2012-04-02 16:16:44
Message-ID:	4F798A9C0200002500046A8D@gw.wicourts.gov
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-jdbc

What follows is just one perspective from a DBA at a production
shop.

Jan Lieskovsky <jlieskov(at)redhat(dot)com> wrote:

> This is NOT an official JDBC driver for PostgreSQL database
> development team statement yet (in the sense it would reference
> some upstream document / web page).
> Anyway, we have got preliminary notification there is a upstream
> intention to provide such page (document which postgresql-jdbc
> versions are expected to work correctly with which versions of
> PostgreSQL database server).

Presumably you are aware of this section on the download page:

http://jdbc.postgresql.org/download.html#current

Which says:

| This is the current version of the driver. Unless you have unusual
| requirements (running old applications or JVMs), this is the
| driver you should be using. It supports Postgresql 7.2 or newer
| and requires a 1.4 or newer JVM. It contains support for SSL and
| the javax.sql package. It comes in two flavors, JDBC3 and JDBC4.
| If you are using the 1.6 or 1.7 JVM, then you should use the JDBC4
| version.
|
| JDBC3 Postgresql Driver, Version 9.1-901
|
| JDBC4 Postgresql Driver, Version 9.1-901

And the section on supported versions of PostgreSQL:

http://www.postgresql.org/support/versioning/

... which shows version 8.1 as having reached end-of-life and gone
out of support five years after release, in November, 2010. As far
as I could tell from a quick skim of the referenced links, this
problem only exists when using this out-of-support version of the
JDBC driver.

While I certainly can't speak for the PostgreSQL community, I can
say that the shop at which I work (the Consolidated Courts
Automation Program of the Wisconsin Supreme Court), we pay attention
to these pages and never consider it safe to use an unsupported
version. We upgrade our JDBC drivers as soon as practicable
whenever the recommended version on the JDBC download page changes.
Of course, this is assigned to be done with some application
software release and the JDBC version rolls out through development,
testing, and staging servers before it is deployed to production, as
we do with the server product itself.

It is frequently mentioned on the PostgreSQL support lists that it
is not a good idea to use older drivers and client libraries with
newer servers, although the opposite is supported. We respect this
advice, and it seems reasonable to us. If that's not mentioned
explicitly on an official web page, I agree that it should be.

-Kevin

In response to

CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters at 2012-03-30 12:28:02 from Jan Lieskovsky

Browse pgsql-jdbc by date

	From	Date	Subject
Next Message	Sez Sez	2012-04-03 07:47:23
Previous Message	Maciek Sakrejda	2012-03-30 19:38:14	Re: Bug with PreparedStatements using EXTRACT function