search

jruby / activerecord-jdbc-adapter

JRuby's ActiveRecord adapter using JDBC.
BSD 2-Clause "Simplified" License
462 stars 385 forks source link

Updates for JDBC drivers #1131

Closed FraPazGal closed 1 year ago

FraPazGal commented 1 year ago

Hello! I wanted to check with you whether an update to the supported JDBC drivers is on the roadmap. There are several vulnerabilities affecting the used mysql and psql versions currently used that would be solved using newer ones. 

┌──────────────────────────────────────────────────────────────┬─────────────────────┬──────────┬───────────────────┬─────────────────────────────────┬─────────────────────────────────────────────────────────────┐
│                           Library                            │    Vulnerability    │ Severity │ Installed Version │          Fixed Version          │                            Title                            │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ mysql:mysql-connector-java (mysql-connector-java-8.0.27.jar) │ CVE-2022-21363      │ MEDIUM   │ 8.0.27            │ 8.0.28                          │ Difficult to exploit vulnerability allows high privileged   │
│                                                              │                     │          │                   │                                 │ attacker with network access via...                         │
│                                                              │                     │          │                   │                                 │ https://avd.aquasec.com/nvd/cve-2022-21363                  │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ org.postgresql:postgresql (postgresql-42.2.25.jar)           │ CVE-2022-26520      │ CRITICAL │ 42.2.25           │ 42.3.3                          │ postgresql-jdbc: Arbitrary File Write Vulnerability         │
│                                                              │                     │          │                   │                                 │ https://avd.aquasec.com/nvd/cve-2022-26520                  │
│                                                              ├─────────────────────┼──────────┤                   ├─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2022-31197      │ HIGH     │                   │ 42.2.26, 42.3.7, 42.4.1         │ postgresql: SQL Injection in ResultSet.refreshRow() with    │
│                                                              │                     │          │                   │                                 │ malicious column names                                      │
│                                                              │                     │          │                   │                                 │ https://avd.aquasec.com/nvd/cve-2022-31197                  │
│                                                              ├─────────────────────┼──────────┤                   ├─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ CVE-2022-41946      │ MEDIUM   │                   │ 42.2.27, 42.3.8, 42.4.3, 42.5.1 │ Information leak of prepared statement data due to insecure │
│                                                              │                     │          │                   │                                 │ temporary file permissions...                               │
│                                                              │                     │          │                   │                                 │ https://avd.aquasec.com/nvd/cve-2022-41946                  │
│                                                              ├─────────────────────┤          │                   ├─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│                                                              │ GHSA-673j-qm5f-xpv8 │          │                   │ 42.3.3                          │ pgjdbc Arbitrary File Write Vulnerability                   │
│                                                              │                     │          │                   │                                 │ https://github.com/advisories/GHSA-673j-qm5f-xpv8           │
├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┤                                 ├─────────────────────────────────────────────────────────────┤

I saw https://github.com/jruby/activerecord-jdbc-adapter/pull/1121 but it seems to be stale.

Thanks in advance!

FraPazGal commented 1 year ago

It seems the sqlite-jdbc version of 3.32.3.3 is also affected by a CVE and should probabli be updated:

├──────────────────────────────────────────────────────────────┼─────────────────────┼──────────┼───────────────────┼─────────────────────────────────┼─────────────────────────────────────────────────────────────┤
│ org.xerial:sqlite-jdbc (sqlite-jdbc-3.32.3.3.jar)            │ CVE-2023-32697      │ HIGH     │ 3.32.3.3          │ 3.41.2.2                        │ Remote code execution when JDBC url is attacker controlled  │
│                                                              │                     │          │                   │                                 │ https://avd.aquasec.com/nvd/cve-2023-32697                  │
└──────────────────────────────────────────────────────────────┴─────────────────────┴──────────┴───────────────────┴─────────────────────────────────┴─────────────────────────────────────────────────────────────┘
headius commented 1 year ago

I saw your security email and I'm working on updating these now.

headius commented 1 year ago

I've updated the drivers on master but this still needs a release @kares @enebo

kares commented 1 year ago

pushed all three, the SQLite3 update might need backports + adapter release in order for users to be able to use the updated version.

haven't looked at the test so that might end up needing more work with the adapter ...

also the related CVE ("Remote code execution when JDBC url is attacker controlled") would only apply in weird use-cases, certainly not with Rails.