In all cases, it is a best practice to configure all JDBC connections with the minimal properties required for the application and server to function. When configuring properties, users should avoid configuring properties with a wide scope (e.g. server.properties) or those that can be set by any authenticated user (e.g. jdbc/user/pass). A last resort defensive measure to block the pgjdbc driver is to place a deny statement in your application's security configuration (e.g. filter> or mapping> sections). REQ. A vendor-supported way to disable the driver.
Requirements of the Security Configuration
The pgjdbc driver will not function if there is a security configuration that denies the driver from accessing a JDBC connection.
Vendor-supplied FQDN, port and SSL/TLS fingerprint
The pgjdbc driver is typically installed with a vendor-supplied FQDN (i.e. server.example.com:5432), port number (i.e. 5432) and SSL/TLS certificate fingerprint (i.e. 1F8:48:81:B6:0D:C2:FF). Vendors typically include these in the default configuration files shipped with the driver, and users should not modify them as they are required by the JDBC specification for authentication purposes and may vary based on the configuration of the application server or database service being connected to.
References:
1. https://www.owasp.org/index.php/SQL_Injection_%28XSS%29
2. http://www.slideshare.net/jeffburton/defending-against-sql-injection
3. http://www.slideshare.net/jeffburton/defending-against-sql-injection
4. https://blog.sucuri.net/2014/03/30/reasons-why-we-are-not-recommending-pivotshare
Timeline
Published on: 03/10/2022 17:47:00 UTC
Last modified on: 08/01/2022 11:15:00 UTC
References
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-673j-qm5f-xpv8
- https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3
- https://github.com/pgjdbc/pgjdbc/pull/2454/commits/017b929977b4f85795f9ad2fa5de6e80978b8ccc
- https://jdbc.postgresql.org/documentation/head/tomcat.html
- https://www.debian.org/security/2022/dsa-5196
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-26520