CVE-2024-32888 - SQL Injection Vulnerability in Amazon JDBC Driver for Redshift with "preferQueryMode=simple"

The Amazon JDBC Driver for Redshift is a Type 4 JDBC driver that provides database connectivity through the standard JDBC application program interfaces (APIs) available in the Java Platform, Enterprise Editions. A recently discovered vulnerability, CVE-2024-32888, affects this driver when the non-default connection property preferQueryMode=simple is used in conjunction with application code that has a vulnerable SQL statement that negates a parameter value. It is important to note that there is no vulnerability in the driver when using the default extended query mode. Also, the preferQueryMode is not a supported parameter in Redshift JDBC driver and is inherited from the code of the Postgres JDBC driver. Users who do not override default settings to utilize this unsupported query mode are not affected. This issue is patched in driver version 2.1..28. As a workaround, do not use the connection property preferQueryMode=simple.

Exploit Details

The vulnerability arises when the preferQueryMode=simple setting is used together with a vulnerable SQL statement. Here's an example of a potentially malicious Java code snippet utilizing this vulnerability:

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class RedshiftExploit {
    public static void main(String[] args) throws SQLException {
        String url = "jdbc:redshift://<Your_Redshift_Endpoint>:5439/mydb?preferQueryMode=simple";
        String user = "your_user";
        String password = "your_password";

        Connection connection = DriverManager.getConnection(url, user, password);
        Statement statement = connection.createStatement();

        String userInput = "1'; DROP TABLE users;";
        String vulnerableSQL = "SELECT * FROM users WHERE id = " + userInput;
        ResultSet resultSet = statement.executeQuery(vulnerableSQL);
        // ...
    }
}

In this example, the SQL injection happens because the userInput variable contains a malicious string and is directly used in the construction of the SQL query. With the preferQueryMode=simple setting, the driver incorrectly processes the user input, leading to SQL injection.

Resolution and Workarounds

The vulnerability has been patched in version 2.1..28 of the Amazon JDBC Driver for Redshift. Users are advised to upgrade to this or a later version as soon as possible. Find the patch and updates here: Amazon Redshift JDBC Driver Releases

For users who are unable to upgrade the driver or require a temporary workaround, the best option is to avoid using the preferQueryMode=simple setting since it is not supported on Redshift. This parameter can be removed from the connection string or explicitly set its value to the default "extend":

String url = "jdbc:redshift://<Your_Redshift_Endpoint>:5439/mydb?preferQueryMode=extend";

Please note that users who do not explicitly specify a query mode use the default "extended query mode" and are not affected by this issue. Additionally, always validate and sanitize any user inputs that are incorporated in SQL queries to minimize the risk of any potential SQL injection vulnerabilities.

Timeline

Published on: 05/15/2024 03:15:12 UTC
Last modified on: 06/04/2024 17:49:45 UTC