Updates for JDBC drivers
FraPazGal opened this issue · 4 comments
Hello! I wanted to check with you whether an update to the supported JDBC drivers is on the roadmap. There are several vulnerabilities affecting the used mysql and psql versions currently used that would be solved using newer ones.
┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬─────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Installed Version │ Fixed Version │ Title │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ mysql:mysql-connector-java (mysql-connector-java-8.0.27.jar) │ CVE-2022-21363 │ MEDIUM │ 8.0.27 │ 8.0.28 │ Difficult to exploit vulnerability allows high privileged │
│ │ │ │ │ │ attacker with network access via... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-21363 │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ org.postgresql:postgresql (postgresql-42.2.25.jar) │ CVE-2022-26520 │ CRITICAL │ 42.2.25 │ 42.3.3 │ postgresql-jdbc: Arbitrary File Write Vulnerability │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-26520 │
│ ├─────────────────────┼──────────┤ ├─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-31197 │ HIGH │ │ 42.2.26, 42.3.7, 42.4.1 │ postgresql: SQL Injection in ResultSet.refreshRow() with │
│ │ │ │ │ │ malicious column names │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-31197 │
│ ├─────────────────────┼──────────┤ ├─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ CVE-2022-41946 │ MEDIUM │ │ 42.2.27, 42.3.8, 42.4.3, 42.5.1 │ Information leak of prepared statement data due to insecure │
│ │ │ │ │ │ temporary file permissions... │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-41946 │
│ ├─────────────────────┤ │ ├─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ │ GHSA-673j-qm5f-xpv8 │ │ │ 42.3.3 │ pgjdbc Arbitrary File Write Vulnerability │
│ │ │ │ │ │ https://github.com/advisories/GHSA-673j-qm5f-xpv8 │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┤ ├─────────────────────────────────────────────────────────────┤
I saw #1121 but it seems to be stale.
Thanks in advance!
It seems the sqlite-jdbc version of 3.32.3.3 is also affected by a CVE and should probabli be updated:
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ org.xerial:sqlite-jdbc (sqlite-jdbc-3.32.3.3.jar) │ CVE-2023-32697 │ HIGH │ 3.32.3.3 │ 3.41.2.2 │ Remote code execution when JDBC url is attacker controlled │
│ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-32697 │
└──────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴─────────────────────────────────┴─────────────────────────────────────────────────────────────┘
I saw your security email and I'm working on updating these now.
pushed all three, the SQLite3 update might need backports + adapter release in order for users to be able to use the updated version.
haven't looked at the test so that might end up needing more work with the adapter ...
also the related CVE ("Remote code execution when JDBC url is attacker controlled") would only apply in weird use-cases, certainly not with Rails.