search

github / securitylab

Resources related to GitHub Security Lab
https://securitylab.github.com
MIT License
1.41k stars 244 forks source link

[Java]: Add JDBC connection RCE sinks #771

Closed pyn3rd closed 1 year ago

pyn3rd commented 1 year ago

Query PR

github/codeql#8357

Language

Java

CVE(s) ID list

https://www.ibm.com/support/pages/node/7010029

CVE-2023-27869, CVE-2023-27867, CVE-2023-27868

CWE

No response

Report

JDBC is the basic implementation of Java Applications. It is a fundamental Java API, which is utilized to specify how to connect diverse databases. However, different vendors have the implementation for their own databases. Like Oracle DB, IBM DB2, MySQL, PostgreSQL, etc.

The attackers are able to construct the malicious JDBC URL to conduct the RCE with the particular JDBC properties.

If there is an application that includes the IBM DB2 JDBC driver, the attacker definitely can trigger the RCE according to my reports.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

Blog post link

No response

pyn3rd commented 1 year ago

BTW, could I create a report in HackerOne Bug Bounty Platform for your program? Like this one: https://hackerone.com/reports/1512936

sylwia-budzynska commented 1 year ago

Hello @pyn3rd :wave: GitHub Security Lab has two types of bug bounty programs—CodeQL All for one (write a CodeQL query and have it merged in the upstream CodeQL repository) and Bug Slayer (disclose and fix vulnerabilities in open source projects).

Unfortunately since you are not the author of the CodeQL query, we cannot award bounty in this category. The submission would be eligible for the bounty in the Bug Slayer program, if the vulnerabilities were found in open source projects. However, since the projects aren’t open source, we cannot award bounty in this category either.

We encourage you to create new or extend existing CodeQL queries to be eligible for bounty in CodeQL All for one category or disclose and fix vulnerabilities in open source projects with the queries for the Bug Slayer category! If you would be interested in running CodeQL queries at scale to find vulnerabilities in open source projects (for example, using the JDBC query you linked to), we suggest using MRVA—MRVA can run a given CodeQL query against a thousand open source projects hosted at GitHub at once using the built-in project lists or your own lists.

Good luck & happy hacking!

ghsecuritylab commented 1 year ago

Your submission is now in status Closed.

For information, the evaluation workflow is the following: Initial triage > Test run > Results analysis > Query review > Final decision > Pay > Closed