CVE-2024-49194: 
Java vulnerability analysis and mitigation

Databricks JDBC Driver before version 2.6.40 contains a vulnerability (CVE-2024-49194) that could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. The vulnerability was discovered by the Alibaba Cloud Intelligence Security Team and was reported through the Databricks bug bounty program. It has been assigned a CVSSv3.1 score of 7.3 (High severity) (Databricks KB, NVD).

The vulnerability stems from improper handling of the krbJAASFile parameter within the JDBC driver. An attacker could potentially achieve Remote Code Execution in the context of the driver by tricking a victim into using a specially crafted connection URL that utilizes the property krbJAASFile. The vulnerability has been assigned a CVSSv3.1 base score of 7.3, indicating high severity (Security Online, ASEC).

If successfully exploited, the vulnerability allows attackers to execute arbitrary code remotely in the context of the JDBC driver. This could potentially lead to unauthorized access and control over affected systems running the vulnerable versions of the Databricks JDBC Driver (Security Online).

Databricks has released version 2.6.40 of the JDBC driver which patches this vulnerability. All current versions of Databricks Runtime on Databricks compute and serverless compute have been patched. For users unable to update immediately, a temporary workaround involves updating the JVM configuration to prevent arbitrary deserialization via JNDI by setting com.sun.jndi.ldap.object.trustURLCodebase and com.sun.jndi.ldap.object.trustSerialData to false (Databricks KB).