2.9 Ensure monitoring and alerting exists for sessions from unsupported Snowflake Connector for Python and JDBC and ODBC drivers

Information

Snowflake provides client software (drivers, connectors, etc.) for connecting to Snowflake and using certain Snowflake features (e.g. Apache Kafka for loading data, Apache Hive metadata for external tables). The clients must be installed on each local workstation or system from which you wish to connect. The Snowflake Connector for Python, JDBC and ODBC drivers are some of the most used Snowflake clients.

Old versions of drivers and connectors may contain security vulnerabilities that have been fixed in the latest version. To ensure that only up-to-date software is used, you should actively monitor session logins coming from unsupported clients and upgrade those to the latest available versions.

Using out-of-date Snowflake clients can expose your account to security risks. You should monitor for connections from unsupported Snowflake Connector for Python and JDBC and ODBC drivers and upgrade to the latest versions available.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Programmatically:

In a Snowsight worksheet or through the SnowSQL CLI:

-

Check the

Recommended Client Versions

documentation and note the minimum versions of the Snowflake Connector for Python, JDBC driver and ODBC driver.

-

Create a UDF to help you compare version numbers:

CREATE OR REPLACE FUNCTION compare_versions(v1 VARCHAR, v2 VARCHAR)-- result compares v1 and v2-- result == lower means that v1 is lower than v2 RETURNS VARCHAR AS $$ case when CAST(SPLIT(v1, '.')[0] AS NUMBER) < CAST(SPLIT(v2, '.')[0] AS NUMBER) then 'lower' when CAST(SPLIT(v1, '.')[0] AS NUMBER) > CAST(SPLIT(v2, '.')[0] AS NUMBER) then 'higher' when CAST(SPLIT(v1, '.')[1] AS NUMBER) < CAST(SPLIT(v2, '.')[1] AS NUMBER) then 'lower' when CAST(SPLIT(v1, '.')[1] AS NUMBER) > CAST(SPLIT(v2, '.')[1] AS NUMBER) then 'higher' when CAST(SPLIT(v1, '.')[2] AS NUMBER) < CAST(SPLIT(v2, '.')[2] AS NUMBER) then 'lower' when CAST(SPLIT(v1, '.')[2] AS NUMBER) > CAST(SPLIT(v2, '.')[2] AS NUMBER) then 'higher' else 'equal' end $$ ;
-

Configure your security monitoring solution to alert on sessions from unsupported versions. Replace the version numbers below with the latest versions from the previous step. The following query can be run periodically.

SELECT CREATED_ON, USER_NAME, SPLIT(CLIENT_APPLICATION_ID, ' ')[0]::varchar AS "CLIENT_APP", CLIENT_APPLICATION_VERSION, CLIENT_ENVIRONMENTFROM SNOWFLAKE.ACCOUNT_USAGE.SESSIONSWHERE ("CLIENT_APP" = 'JDBC' AND COMPARE_VERSIONS(CLIENT_APPLICATION_VERSION, '3.13.6') = 'lower') OR ("CLIENT_APP" = 'ODBC' AND COMPARE_VERSIONS(CLIENT_APPLICATION_VERSION, '2.23.3') = 'lower') OR ("CLIENT_APP" = 'PythonConnector' AND COMPARE_VERSIONS(CLIENT_APPLICATION_VERSION, '2.5.0') = 'lower')ORDER BY CLIENT_APPLICATION_ID;
-

When detecting the use of unsupported clients, upgrade to the latest, recommended version.

Impact:

None.

See Also

https://workbench.cisecurity.org/benchmarks/14781

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.7

Plugin: Snowflake

Control ID: cc98be55886e7ce4036feabfbe6fd911454fb755504e2c8b6fc0b152b7b07e1b