Upstream information
Description
PostgreSQL JDBC Driver (PgJDBC for short) allows Java programs to connect to a PostgreSQL database using standard, database independent Java code. The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. This could lead to executing additional SQL commands as the application's JDBC user. User applications that do not invoke the `ResultSet.refreshRow()` method are not impacted. User application that do invoke that method are impacted if the underlying database that they are querying via their JDBC application may be under the control of an attacker. The attack requires the attacker to trick the user into executing SQL against a table name who's column names would contain the malicious SQL and subsequently invoke the `refreshRow()` method on the ResultSet. Note that the application's JDBC user and the schema owner need not be the same. A JDBC application that executes as a privileged user querying database schemas owned by potentially malicious less-privileged users would be vulnerable. In that situation it may be possible for the malicious user to craft a schema that causes the application to execute commands as the privileged user. Patched versions will be released as `42.2.26` and `42.4.1`. Users are advised to upgrade. There are no known workarounds for this issue.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
| National Vulnerability Database | SUSE | |
|---|---|---|
| Base Score | 8 | 8.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | Low | None |
| User Interaction | Required | Required |
| Scope | Unchanged | Unchanged |
| Confidentiality Impact | High | High |
| Integrity Impact | High | High |
| Availability Impact | High | None |
| CVSSv3 Version | 3.1 | 3.1 |
SUSE Security Advisories:
- SUSE-SU-2022:3537-1, published Thu Oct 6 13:27:01 UTC 2022
- SUSE-SU-2022:3541-1, published Thu Oct 6 13:28:01 UTC 2022
- SUSE-SU-2022:3613-1, published Tue Oct 18 16:21:40 UTC 2022
- SUSE-SU-2022:3705-1, published Mon Oct 24 16:24:24 UTC 2022
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| Container suse/manager/5.0/x86_64/server:latest Image SLES15-SP4-Manager-Server-4-3 Image SLES15-SP4-Manager-Server-4-3-Azure-llc Image SLES15-SP4-Manager-Server-4-3-Azure-ltd Image SLES15-SP4-Manager-Server-4-3-BYOS Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE Image SLES15-SP4-Manager-Server-4-3-EC2-llc Image SLES15-SP4-Manager-Server-4-3-EC2-ltd |
| |
| Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE |
| |
| SUSE Enterprise Storage 7.1 SUSE Linux Enterprise High Performance Computing 15 SP3 SUSE Linux Enterprise Module for Server Applications 15 SP3 SUSE Linux Enterprise Server 15 SP3 SUSE Linux Enterprise Server for SAP Applications 15 SP3 SUSE Manager Proxy 4.2 SUSE Manager Retail Branch Server 4.2 SUSE Manager Server 4.2 |
| Patchnames: SUSE-SLE-Module-Server-Applications-15-SP3-2022-3613 |
| SUSE Liberty Linux 9 |
| Patchnames: RHSA-2023:0318 |
| SUSE Linux Enterprise High Performance Computing 15 SP4 SUSE Linux Enterprise Module for Server Applications 15 SP4 SUSE Linux Enterprise Server 15 SP4 SUSE Linux Enterprise Server for SAP Applications 15 SP4 SUSE Manager Proxy 4.3 SUSE Manager Retail Branch Server 4.3 SUSE Manager Server 4.3 |
| Patchnames: SUSE-SLE-Module-Server-Applications-15-SP4-2022-3537 |
| SUSE Linux Enterprise High Performance Computing 15 SP5 SUSE Linux Enterprise Module for Server Applications 15 SP5 SUSE Linux Enterprise Server 15 SP5 SUSE Linux Enterprise Server for SAP Applications 15 SP5 |
| Patchnames: SUSE Linux Enterprise Module for Server Applications 15 SP5 GA postgresql-jdbc-42.2.25-150400.3.9.2 |
| SUSE Linux Enterprise Server 12 SP2-BCL |
| Patchnames: SUSE-SLE-SERVER-12-SP2-BCL-2022-3541 |
| SUSE Linux Enterprise Server 12 SP3-BCL |
| Patchnames: SUSE-SLE-SERVER-12-SP3-BCL-2022-3541 |
| SUSE Linux Enterprise Server 12 SP4-ESPOS |
| Patchnames: SUSE-SLE-SERVER-12-SP4-ESPOS-2022-3541 |
| SUSE Linux Enterprise Server 12 SP4-LTSS |
| Patchnames: SUSE-SLE-SERVER-12-SP4-LTSS-2022-3541 |
| SUSE Linux Enterprise Server 12 SP5 SUSE Linux Enterprise Server for SAP Applications 12 SP5 |
| Patchnames: SUSE-SLE-SERVER-12-SP5-2022-3541 |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 |
| Patchnames: SUSE-SLE-SAP-12-SP4-2022-3541 |
| SUSE Manager Server Module 4.1 |
| Patchnames: SUSE-SLE-Module-SUSE-Manager-Server-4.1-2022-3705 |
| SUSE Manager Server Module 4.2 |
| Patchnames: SUSE-SLE-Module-SUSE-Manager-Server-4.2-2022-3613 |
| SUSE OpenStack Cloud 9 |
| Patchnames: SUSE-OpenStack-Cloud-9-2022-3541 |
| SUSE OpenStack Cloud Crowbar 9 |
| Patchnames: SUSE-OpenStack-Cloud-Crowbar-9-2022-3541 |
| openSUSE Leap 15.3 |
| Patchnames: openSUSE-SLE-15.3-2022-3613 |
| openSUSE Leap 15.4 |
| Patchnames: openSUSE-SLE-15.4-2022-3537 |
| openSUSE Tumbleweed |
| Patchnames: openSUSE Tumbleweed GA postgresql-jdbc-42.2.25-3.1 |
First public cloud image revisions this CVE is fixed in:
- amazon/suse-manager-server-4-2-byos-v20221105-hvm-ssd-x86_64
- amazon/suse-manager-server-4-3-byos-v20230121-hvm-ssd-x86_64
- google/suse-manager-server-4-2-byos-v20221104-x86-64
- google/suse-manager-server-4-3-byos-v20221105-x86-64
- microsoft/suse-manager-server-4-2-byos-v20221104-x86_64
- microsoft/suse-manager-server-4-3-byos-v20221105-x86_64
Status of this issue by product and package
Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification. The updates are grouped by state of their lifecycle. SUSE product lifecycles are documented on the lifecycle page.
| Product(s) | Source package | State |
|---|---|---|
| Products under general support and receiving all security fixes. | ||
| SUSE Enterprise Storage 7.1 | postgresql-jdbc | Released |
| SUSE Linux Enterprise High Performance Computing 12 SP5 | postgresql-jdbc | Released |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | postgresql-jdbc | Released |
| SUSE Linux Enterprise Module for Server Applications 15 SP5 | postgresql-jdbc | Released |
| SUSE Linux Enterprise Real Time 15 SP3 | postgresql-jdbc | Already fixed |
| SUSE Linux Enterprise Server 12 SP5 | postgresql-jdbc | Released |
| SUSE Linux Enterprise Server 15 SP5 | postgresql-jdbc | Released |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | postgresql-jdbc | Released |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | postgresql-jdbc | Released |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | postgresql-jdbc | Released |
| SUSE Manager Proxy 4.3 | postgresql-jdbc | Released |
| SUSE Manager Retail Branch Server 4.3 | postgresql-jdbc | Released |
| SUSE Manager Server 4.3 | postgresql-jdbc | Released |
| SUSE Manager Server Module 4.3 | pgjdbc-ng | Not affected |
| Products under Long Term Service Pack support and receiving important and critical security fixes. | ||
| SUSE Linux Enterprise High Performance Computing 15 SP3 | postgresql-jdbc | Released |
| SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS | postgresql-jdbc | Already fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS | postgresql-jdbc | Already fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | postgresql-jdbc | Released |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | postgresql-jdbc | Already fixed |
| SUSE Linux Enterprise Module for Server Applications 15 SP3 | postgresql-jdbc | Released |
| SUSE Linux Enterprise Module for Server Applications 15 SP4 | postgresql-jdbc | Released |
| SUSE Linux Enterprise Server 15 SP3 | postgresql-jdbc | Released |
| SUSE Linux Enterprise Server 15 SP3-LTSS | postgresql-jdbc | Already fixed |
| SUSE Linux Enterprise Server 15 SP4 | postgresql-jdbc | Released |
| SUSE Linux Enterprise Server 15 SP4-LTSS | postgresql-jdbc | Already fixed |
| SUSE Linux Enterprise Server Business Critical Linux 15 SP3 | postgresql-jdbc | Already fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | postgresql-jdbc | Released |
| SUSE OpenStack Cloud 8 | postgresql-jdbc | Affected |
| SUSE OpenStack Cloud 9 | postgresql-jdbc | Released |
| Products past their end of life and not receiving proactive updates anymore. | ||
| HPE Helion OpenStack 8 | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Real Time 15 SP4 | postgresql-jdbc | Already fixed |
| SUSE Linux Enterprise Server 11 SP3 | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 11 SP3-LTSS | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 11 SP4 | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 11 SP4-LTSS | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 12 SP1 | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 12 SP1-LTSS | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 12 SP2 | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 12 SP2-BCL | postgresql-jdbc | Released |
| SUSE Linux Enterprise Server 12 SP2-ESPOS | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 12 SP2-LTSS | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 12 SP3 | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 12 SP3-BCL | postgresql-jdbc | Released |
| SUSE Linux Enterprise Server 12 SP3-ESPOS | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 12 SP3-LTSS | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 12 SP4 | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server 12 SP4-ESPOS | postgresql-jdbc | Released |
| SUSE Linux Enterprise Server 12 SP4-LTSS | postgresql-jdbc | Released |
| SUSE Linux Enterprise Server 15 SP3-BCL | postgresql-jdbc | Already fixed |
| SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP1 | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | postgresql-jdbc | Affected |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | postgresql-jdbc | Released |
| SUSE Manager Proxy 4.2 | postgresql-jdbc | Released |
| SUSE Manager Retail Branch Server 4.2 | postgresql-jdbc | Released |
| SUSE Manager Server 4.2 | postgresql-jdbc | Released |
| SUSE Manager Server Module 4.1 | pgjdbc-ng | Not affected |
| SUSE Manager Server Module 4.1 | postgresql-jdbc | Released |
| SUSE Manager Server Module 4.2 | pgjdbc-ng | Not affected |
| SUSE Manager Server Module 4.2 | postgresql-jdbc | Released |
| SUSE OpenStack Cloud 7 | postgresql-jdbc | Affected |
| SUSE OpenStack Cloud Crowbar 8 | postgresql-jdbc | Affected |
| SUSE OpenStack Cloud Crowbar 9 | postgresql-jdbc | Released |
| openSUSE Leap 15.3 | postgresql-jdbc | Released |
| openSUSE Leap 15.4 | postgresql-jdbc | Released |
| Products at an unknown state of their lifecycle. | ||
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | postgresql-jdbc | Already fixed |
| Container Status | ||
| suse/manager/5.0/x86_64/server | postgresql-jdbc | Already fixed |
SUSE Timeline for this CVE
CVE page created: Thu Aug 4 02:00:13 2022CVE page last modified: Fri Apr 19 14:23:27 2024