CVE-2024-1597
📋 TL;DR
This SQL injection vulnerability in the PostgreSQL JDBC Driver (pgjdbc) allows attackers to bypass parameterized query protections when using PreferQueryMode=SIMPLE configuration. Only applications using this non-default configuration are affected. Attackers can inject malicious SQL by crafting specific numeric and string parameter combinations.
💻 Affected Systems
- PostgreSQL JDBC Driver (pgjdbc)
📦 What is this software?
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, modification, deletion, or potential remote code execution on the database server.
Likely Case
Data exfiltration, unauthorized data modification, or privilege escalation within the database.
If Mitigated
No impact if using default configuration or properly patched versions.
🎯 Exploit Status
Exploit requires specific parameter ordering and placement conditions but is well-documented in advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, or 42.2.28 depending on your version line
Vendor Advisory: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
Restart Required: Yes
Instructions:
1. Identify your current pgjdbc version. 2. Upgrade to the patched version for your release line. 3. Restart all Java applications using the driver. 4. Verify the new version is in use.
🔧 Temporary Workarounds
Disable PreferQueryMode=SIMPLE
allSwitch to default configuration which is not vulnerable
Remove or change PreferQueryMode=SIMPLE configuration to default
Input validation for numeric parameters
allAdd server-side validation for numeric parameters to prevent injection
🧯 If You Can't Patch
- Disable PreferQueryMode=SIMPLE configuration immediately
- Implement strict input validation and sanitization for all database parameters
🔍 How to Verify
Check if Vulnerable:
Check if application uses PreferQueryMode=SIMPLE and pgjdbc version is below patched versionsCheck Version:
Check Maven/Gradle dependencies or examine pgjdbc JAR file metadataVerify Fix Applied:
Confirm pgjdbc version is 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, or 42.2.28 or higher📡 Detection & Monitoring
Log Indicators:
- Unusual SQL query patterns with minus signs before numeric parameters
- Database errors from malformed queries
- Unexpected query results
Network Indicators:
- Unusual database query patterns from application servers
SIEM Query:
Search for database errors containing SQL syntax errors or unusual parameter patterns🔗 References
- http://www.openwall.com/lists/oss-security/2024/04/02/6
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
- https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU/
- https://security.netapp.com/advisory/ntap-20240419-0008/
- https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/
- https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/
- http://www.openwall.com/lists/oss-security/2024/04/02/6
- https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56
- https://lists.debian.org/debian-lts-announce/2024/05/msg00007.html
- https://lists.debian.org/debian-lts-announce/2024/12/msg00017.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TZQTSMESZD2RJ5XBPSXH3TIQVUW5DIUU/
- https://security.netapp.com/advisory/ntap-20240419-0008/
- https://www.enterprisedb.com/docs/jdbc_connector/latest/01_jdbc_rel_notes/
- https://www.enterprisedb.com/docs/security/assessments/cve-2024-1597/
- https://www.sonarsource.com/blog/double-dash-double-trouble-a-subtle-sql-injection-flaw/
