CVE-2024-32888: 
Java vulnerability analysis and mitigation

A critical SQL injection vulnerability (CVE-2024-32888) has been discovered in the Amazon JDBC Driver for Redshift, a Type 4 JDBC driver that provides database connectivity through standard JDBC application program interfaces (APIs) for Java Platform, Enterprise Editions. The vulnerability affects versions prior to 2.1.0.28 and carries a CVSS score of 10.0 (Critical). The issue specifically occurs when using the non-default connection property 'preferQueryMode=simple' in combination with application code that has a vulnerable SQL that negates a parameter value (AWS Advisory, NVD).

The vulnerability stems from improper parameter handling in simple query mode. When using the non-default 'preferQueryMode=simple' setting, the driver becomes susceptible to SQL injection attacks if the application code includes poorly constructed queries that attempt to negate parameter values. It's important to note that this vulnerability does not affect the default extended query mode, and 'preferQueryMode' is not a supported parameter in the Redshift JDBC driver but is inherited from the Postgres JDBC driver. The vulnerability has been assigned a CVSS v3.1 base score of 10.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (AWS Advisory).

The vulnerability could allow attackers to execute unauthorized SQL commands on affected systems, potentially leading to data breaches, unauthorized access, or complete system takeover. Given the critical CVSS score of 10.0, the vulnerability represents the highest possible severity level, indicating potential for significant impact on affected systems (Security Online).

The vulnerability has been patched in Amazon Redshift JDBC Driver version 2.1.0.28. As a workaround, users are strongly advised not to use the connection property 'preferQueryMode=simple'. Those who do not explicitly specify a query mode use the default extended query mode and are not affected by this issue (AWS Advisory).