Debian DLA-3140-1 : libpgjava - LTS security update

high Nessus Plugin ID 165784

Synopsis

The remote Debian host is missing a security-related update.

Description

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3140 advisory.

- PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue. (CVE-2022-31197)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade the libpgjava packages.

For Debian 10 Buster, these problems have been fixed in version 42.2.5-2+deb10u2.

See Also

https://www.debian.org/lts/security/2022/dla-3140

https://security-tracker.debian.org/tracker/CVE-2022-31197

https://packages.debian.org/source/buster/libpgjava

Plugin Details

Severity: High

ID: 165784

File Name: debian_DLA-3140.nasl

Version: 1.4

Type: local

Agent: unix

Published: 10/8/2022

Updated: 10/10/2023

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-31197

CVSS v3

Risk Factor: High

Base Score: 8

Temporal Score: 7.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:libpostgresql-jdbc-java-doc, p-cpe:/a:debian:debian_linux:libpostgresql-jdbc-java

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/7/2022

Vulnerability Publication Date: 8/3/2022

Reference Information

CVE: CVE-2022-31197