CVE-2022-41828: 
Java vulnerability analysis and mitigation

In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before version 2.1.0.8, a vulnerability was discovered where the Object Factory does not check the class type when instantiating an object from a class name. The vulnerability was discovered and disclosed in September 2022, affecting all versions prior to 2.1.0.8 (NVD, MITRE).

The vulnerability stems from insufficient class type verification in the Object Factory component when instantiating plugin instances. When plugins are used with the driver, it instantiates plugin instances based on Java class names provided via the sslhostnameverifier, socketFactory, sslfactory, and sslpasswordcallback connection properties. The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a high severity issue (NVD, GitHub Advisory).

The vulnerability can lead to loading of arbitrary Java classes, which a knowledgeable attacker with control over the JDBC URL can use to achieve remote code execution. This poses a significant security risk as it could allow unauthorized access to sensitive data and potential system compromise (GitHub Advisory).

The vulnerability has been patched in version 2.1.0.8 of the Amazon AWS Redshift JDBC Driver. Users are advised to upgrade to this version or later. There are no known workarounds for this vulnerability, making the upgrade the only effective solution (GitHub Advisory, Redshift Commit).