CVE-2022-41946: Information Disclosure Vulnerability in pgjdbc Due to Temporary File Creation

The open-source PostgreSQL JDBC Driver, nicknamed pgjdbc, has a vulnerability in certain versions (CVE-2022-41946) that can lead to an information disclosure issue. This vulnerability stems from the creation of temporary files when using prepared statements with specific InputStream configurations. In this post, we will delve into the details of this vulnerability, provide code snippets demonstrating the issue, and point to ways to fix or mitigate the problem.

Details of the Vulnerability

When a prepared statement in pgjdbc uses PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) and the InputStream is larger than 2k, a temporary file is created. This file is readable by other users on Unix-like systems, but not on MacOS. The issue arises because, on Unix-like systems, the system's temporary directory is shared among all users, making the contents in these directories readable by others on the same system.

It is important to note that this vulnerability does not enable other users to overwrite the contents of these files or directories. The issue is strictly limited to information disclosure.

Affected Versions and Solutions

The vulnerability affects certain versions of pgjdbc, and the appropriate fix depends on the JDK version in use.

1. For Java 1.7 and higher users: The vulnerability is fixed in pgjdbc version 4.5.. Update to this version to patch the issue.

2. For Java 1.6 and lower users: Unfortunately, there is no available patch. However, there is a workaround. Specifying the java.io.tmpdir system environment variable to a directory exclusively owned by the executing user can mitigate this vulnerability.

Here are some example code snippets that demonstrate the behavior leading to the vulnerability

PreparedStatement pstmt1 = connection.prepareStatement("INSERT INTO my_table(text_col) VALUES (?)");
InputStream largeInputStream1 = ...; // An InputStream larger than 2k
pstmt1.setText(1, largeInputStream1);
pstmt1.executeUpdate();

PreparedStatement pstmt2 = connection.prepareStatement("INSERT INTO my_table(bytea_col) VALUES (?)");
InputStream largeInputStream2 = ...; // An InputStream larger than 2k
pstmt2.setBytea(1, largeInputStream2);
pstmt2.executeUpdate();

For more information and details on the vulnerability, you can refer to the original sources

1. CVE-2022-41946 Details
2. pgjdbc Official Repository

Conclusion

CVE-2022-41946 is an information disclosure vulnerability in pgjdbc that results from temporary file creation when using certain InputStream configurations in prepared statements. The fix for this issue depends on the JDK version in use (update to pgjdbc 4.5. for Java 1.7 and higher or specify the java.io.tmpdir for Java 1.6 and lower). Be sure to fully understand the extent of the vulnerability and apply the appropriate solution to safeguard your systems.

Timeline

Published on: 11/23/2022 20:15:00 UTC
Last modified on: 07/06/2023 13:37:00 UTC