CVE-2023-30535
📋 TL;DR
This CVE describes a command injection vulnerability in Snowflake JDBC drivers that allows remote code execution. An attacker can trick users into connecting to a malicious server via crafted SSO URLs, executing arbitrary code on the victim's machine. All users of vulnerable Snowflake JDBC drivers are affected.
💻 Affected Systems
- Snowflake JDBC Driver
📦 What is this software?
Snowflake Jdbc by Snowflake
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise of the client machine, allowing attacker to execute arbitrary commands with user privileges, potentially leading to data theft, lateral movement, or ransomware deployment.
Likely Case
Attacker gains control of the user's local machine, potentially accessing sensitive data, credentials, or using the machine as a pivot point into the network.
If Mitigated
With proper network segmentation and user awareness, impact is limited to isolated client machines without access to critical systems.
🎯 Exploit Status
Exploitation requires social engineering to trick users into visiting malicious URLs, but technical execution is straightforward once the malicious server is established.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.13.29
Vendor Advisory: https://github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-4g3j-c4wg-6j7x
Restart Required: Yes
Instructions:
1. Identify all applications using Snowflake JDBC driver. 2. Update driver dependency to version 3.13.29 or later. 3. Rebuild and redeploy affected applications. 4. Restart application services.
🔧 Temporary Workarounds
Network Restriction
allRestrict outbound connections from client machines to only trusted Snowflake endpoints
User Awareness Training
allTrain users not to click on untrusted database connection URLs
🧯 If You Can't Patch
- Implement strict network controls to prevent client machines from connecting to untrusted servers
- Use application allowlisting to prevent execution of unauthorized processes on client machines
🔍 How to Verify
Check if Vulnerable:
Check the JDBC driver version in your application's dependencies or classpath. Versions before 3.13.29 are vulnerable.Check Version:
Check your build configuration (Maven pom.xml, Gradle build.gradle) or run: java -cp snowflake-jdbc.jar snowflake.client.jdbc.internal.jdbc.core.SFDriver --versionVerify Fix Applied:
Confirm that all applications are using Snowflake JDBC driver version 3.13.29 or later.📡 Detection & Monitoring
Log Indicators:
- Unexpected outbound connections to non-Snowflake domains from JDBC clients
- Java process spawning unexpected child processes
Network Indicators:
- Client machines connecting to unusual domains on ports 80/443
- SSO authentication requests to non-standard endpoints
SIEM Query:
source="*jdbc*" AND (url="*malicious*" OR domain!="*.snowflakecomputing.com")🔗 References
- https://community.snowflake.com/s/article/JDBC-Driver-Release-Notes
- https://github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-4g3j-c4wg-6j7x
- https://community.snowflake.com/s/article/JDBC-Driver-Release-Notes
- https://github.com/snowflakedb/snowflake-jdbc/security/advisories/GHSA-4g3j-c4wg-6j7x
