CVE-2022-41828

Description

### Impact A potential remote command execution issue exists within `redshift-jdbc42` versions 2.1.0.7 and below. When plugins are used with the driver, it instantiates plugin instances based on Java class names provided via the `sslhostnameverifier`, `socketFactory`, `sslfactory`, and `sslpasswordcallback` connection properties. In affected versions, the driver does not verify if a plugin class implements the expected interface before instantiatiaton. This can lead to loading of arbitrary Java classes, which a knowledgeable attacker with control over the JDBC URL can use to achieve remote code execution. ### Patches This issue is patched within `redshift-jdbc-42` 2.1.0.8 and above. ### Workarounds We advise customers using plugins to upgrade to `redshift-jdbc42` version 2.1.0.8 or above. There are no known workarounds for this issue. ### For more information If you have any questions or comments about this advisory, please contact AWS Security at [aws-security@amazon.com](mailto:aws-security@amazon.com).

How to fix CVE-2022-41828

To remediate CVE-2022-41828, upgrade the affected package to a fixed version below.

• —upgrade to 2.1.0.8 or later

Is CVE-2022-41828 being exploited?

Moderate — EPSS is 9.6%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• from 0, < 2.1.0.8

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-41828
• PATCHgithub.com/aws/amazon-redshift-jdbc-driver
• WEBgithub.com/aws/amazon-redshift-jdbc-driver/commit/40b143b4698faf90c788ffa89f2d4d8d2ad068b5
• WEBgithub.com/aws/amazon-redshift-jdbc-driver/commit/9999659bbc9f3d006fb02a0bf39d5bcf3b503605