Debian DSA-5196-1 : libpgjava - security update

critical Nessus Plugin ID 163651

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5196 advisory.

- PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. (CVE-2020-13692)

- pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue. (CVE-2022-21724)

- ** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.
(CVE-2022-26520)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libpgjava packages.

For the stable distribution (bullseye), these problems have been fixed in version 42.2.15-1+deb11u1.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=962828

https://security-tracker.debian.org/tracker/source-package/libpgjava

https://www.debian.org/security/2022/dsa-5196

https://security-tracker.debian.org/tracker/CVE-2020-13692

https://security-tracker.debian.org/tracker/CVE-2022-21724

https://security-tracker.debian.org/tracker/CVE-2022-26520

https://packages.debian.org/source/buster/libpgjava

https://packages.debian.org/source/bullseye/libpgjava

Plugin Details

Severity: Critical

ID: 163651

File Name: debian_DSA-5196.nasl

Version: 1.3

Type: local

Agent: unix

Published: 7/31/2022

Updated: 10/17/2023

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-26520

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:10.0, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:libpostgresql-jdbc-java-doc, p-cpe:/a:debian:debian_linux:libpostgresql-jdbc-java

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/31/2022

Vulnerability Publication Date: 6/4/2020

Reference Information

CVE: CVE-2020-13692, CVE-2022-21724, CVE-2022-26520