Advisory No: TZCERT/SA/2024/07/10-1
Date of First Release: 10th July 2024
Source: IBM
Software Affected: PostgreSQL JDBC Driver, Apache Derby
Overview:
Multiple IBM products depending on PostgreSQL JDBC Driver, and Apache Derby are vulnerable to critical vulnerabilities. Attackers can exploit the vulnerabilities to dump critical data or execute arbitrary code.
Description:
Multiple IBM products running on PostgreSQL JDBC Driver, and are affected by critical vulnerabilities with CVSS base scores of 10 and 9.1 and tracked as CVE-2024-1597, and CVE-2022-46337 respectively. The vulnerabilities exist in PostgreSQL JDBC Driver that uses the non-default connection property preferQueryMode=simple in combination with application code that has a vulnerable SQL that negates a parameter value, and in Apache Derby plugin caused by a LDAP injection vulnerability in authenticator. The attackers can send specially crafted request to execute arbitrary code on the vulnerable system.
Impact:
Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected system.
Solution:
IBM has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.
References:
- https://exchange.xforce.ibmcloud.com/vulnerabilities/283693
- https://exchange.xforce.ibmcloud.com/vulnerabilities/271915