Impact
A weakness was found in postgresql-jdbc before version 42.3.2. pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This would allow a malicious class to be instantiated that could execute arbitrary code from the JVM.
Patches
To resolve a possible RCE attack using the PostgreSQL JDBC driver you are recommended to upgrade the driver to the current release, or at a minimum 42.2.25 or 42.3.2.
The JDBC driver is commonly found in the Tomcat "lib" directory as it is needed to create a connection to the Flamingo / Tailormap database for both authenticating as well as storing and retrieving configuration data, this file is not part of the Flamingo / Tailormap web applications and should be updated manually. It is included in the release zip file of Tailormap / Flamingo. A container restart is required.
Workarounds
You can update the PostgreSQL JDBC driver manually if upgrading the application is not opportune at this time.
References
Please see:
For more information
If you have any questions or comments about this advisory:
Impact
A weakness was found in postgresql-jdbc before version 42.3.2. pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This would allow a malicious class to be instantiated that could execute arbitrary code from the JVM.
Patches
To resolve a possible RCE attack using the PostgreSQL JDBC driver you are recommended to upgrade the driver to the current release, or at a minimum 42.2.25 or 42.3.2.
The JDBC driver is commonly found in the Tomcat "lib" directory as it is needed to create a connection to the Flamingo / Tailormap database for both authenticating as well as storing and retrieving configuration data, this file is not part of the Flamingo / Tailormap web applications and should be updated manually. It is included in the release zip file of Tailormap / Flamingo. A container restart is required.
Workarounds
You can update the PostgreSQL JDBC driver manually if upgrading the application is not opportune at this time.
References
Please see:
For more information
If you have any questions or comments about this advisory: