Date: Wed, 04 Apr 2012 13:32:56 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Jan Lieskovsky <jlieskov@...hat.com>, "Steven M. Christey" <coley@...us.mitre.org>, Tom Lane <tgl@...hat.com>, pgsql-jdbc@...tgresql.org, Steffen Dettmer <steffen@...t.de> Subject: Re: CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/30/2012 06:28 AM, Jan Lieskovsky wrote: > Hello Kurt, Steve, vendors, > > originally, the following deficiency has been reported by Steffen > Dettmer:  http://seclists.org/bugtraq/2012/Mar/125 > > A SQL injection flaw was found in the way postgresql-jdbc, a JDBC > driver for PostgreSQL database, performed escaping of certain JDBC > statement parameters. A remote attacker could provide a JDBC > statement with specially-crafted parameters, which once processed > by the postgresql-jdbc driver would lead to SQL injection. > > References:  > http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html >  https://bugzilla.novell.com/show_bug.cgi?id=754273  > https://bugzilla.redhat.com/show_bug.cgi?id=807394 > > Upon further issue investigation and discussion with Tom Lane of > PostgreSQL upstream and JDBC driver upstream the following > conclusion has been provided: > > The upstream development team of the JDBC driver for the > PostgreSQL database does not consider improper escaping of certain > JDBC statement / query parameters, when the JDBC driver of version > older than the version of underlying PostgresSQL server is being > used, to be a security defect. In general, the JDBC driver for the > PostgreSQL database does not promise to work with server releases > newer than the driver release. Apologies for the delay, at first I agreed with the above, but then I checked and I think it's a bit more nuanced than that. First off: I agree this is not an issue in PostgreSQL upstream. This issue only occurs with an ancient unsupported and obsolete version of the JDBC driver when being used with a newer version of PostgreSQL. However having stated that there is a security boundary violation going on. Just because a software component is out of date or not supported doesn't mean security bugs shouldn't at least be acknowledged (software tends to live past its designed lifetime). Add to this the fact that someone actually reported it we can state with some certainty that it affected at least one person, ergo there is a reasonable chance it may affect others. So I checked the CVE database, we have 64 instances of "when used with", some reasonable examples: CVE-2009-4040,Candidate,"Cross-site scripting (XSS) vulnerability in phpMyFAQ before 2.0.17 and 2.5.x before 2.5.2, when used with Internet Explorer 6 or 7, allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to the search page.","CONFIRM:http://www.phpmyfaq.de/advisory_2009-09-01.php CVE-2008-2705,Candidate,"Unspecified vulnerability in Sun Java System Access Manager (AM) 7.1, when used with certain versions and configurations of Sun Directory Server Enterprise Edition (DSEE), allows remote attackers to bypass authentication via unspecified vectors.","SUNALERT:238416 So I think it's safe to say that we can (and should) assign CVE's based on the unintended interactions of products (assigning a CVE helps ensure that people are more likely to find out, security scanners all love to pick up on CVE's, etc.). I'm going to assign a CVE for this and suggest a description of (stolen directly from the first bug report (http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html): "When using PostgreSQL JDBC driver version 8.1 to connect to a PostgreSQL version 9.1 database, escaping of JDBC statement parameters does not work and SQL injection attacks are possible. It should be noted that the PostgreSQL JDBC driver version 8.1 is officially obsolete and should not be used." Please use CVE-2012-1618 for this issue. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPfKHoAAoJEBYNRVNeJnmT/u4QAI03PTYXs1ceSoMIZ1ORjj7x vFTKfdOaXercFFonIrVzf4e54gCObUJgse3rdz6ONh59FkqDSDW1WISYhLi+pMAj fLCng+vaB3ctiI6KurenKpy1fIWg9CsNTsx+9N2UG0JorMYp9hhih/9KRcwcvbLV TXl7psu7OhOKc6J2re1bjQO+gbyVPZxvkYfs1CvXvIh27FWWzoNFYLL34rRdZIwo fcfy5z7AWEehxpPRRBijllYVQambqdXu2m8PBRLn7pgy/dRPuDbn/yiKcC39+1EK jcaiFH7P1XtXXQouy13Ta3yhHsZiVDZmNyR+YKnRYQIY9ICjFNxR+rdBbSM0f2Eu JO1Sa9eewe7bsylIchIRoVtGuzvOlxv18Dujp6iD7pvIaLNJ9uuuabz9lX/9rm3p WX++VxYk+k+cGOGjttnlSfiS+TYnFjLgS6fM4AAp6oBPg13ndrKJL4m7qYNoJzjd S4JhOxn8VcgRFAo8otLzIRxWrsYYG8/xybr5/NESmC8hcr0mhYUIGyLx5qu0/QAR ri1QT3BPs7SoqGGaJHUZtqOK/vAkDHn1SdA/VopWcpk2XmP2rd0h0Mh+jkA3Pd6C SaL2HvwRq9a9T9rJozESHnPd8HqvDgaUdKADcYEV9xS+axZMHRPpHSppvt93GKao ClES06wUx2zOrWyNijbF =jlUp -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.