CVE-2024-49194
📋 TL;DR
This vulnerability in Databricks JDBC Driver allows remote code execution via JNDI injection through a crafted JDBC URL containing the krbJAASFile parameter. Attackers can exploit this by tricking users into connecting with malicious URLs. Organizations using Databricks JDBC Driver 2.x for database connections are affected.
💻 Affected Systems
- Databricks JDBC Driver
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with attacker gaining code execution in the context of the JDBC driver process, potentially leading to data exfiltration, lateral movement, or ransomware deployment.
Likely Case
Limited code execution within the JDBC driver context, potentially allowing access to database credentials and sensitive data accessible through the driver.
If Mitigated
No impact if proper URL validation and network segmentation prevent malicious connection attempts.
🎯 Exploit Status
Exploitation requires user interaction (connecting with malicious URL) but the technique is well-known (JNDI injection).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.40 and later
Vendor Advisory: https://kb.databricks.com/en_US/data-sources/security-bulletin-databricks-jdbc-driver-vulnerability-advisory-cve-2024-49194
Restart Required: Yes
Instructions:
1. Download Databricks JDBC Driver version 2.6.40 or later. 2. Replace existing driver JAR files with updated version. 3. Restart all applications using the driver. 4. Update connection strings in applications if needed.
🔧 Temporary Workarounds
Validate JDBC URLs
allImplement strict validation of JDBC connection URLs to reject any containing krbJAASFile parameter with suspicious values.
Network Segmentation
allRestrict outbound network access from JDBC driver hosts to prevent JNDI lookups to external servers.
🧯 If You Can't Patch
- Implement application-level validation to reject JDBC URLs containing krbJAASFile parameter
- Use network controls to block outbound LDAP/RMI traffic from systems using the driver
🔍 How to Verify
Check if Vulnerable:
Check the driver version in use. If using Databricks JDBC Driver 2.x and version is below 2.6.40, the system is vulnerable.Check Version:
Check the JAR file name or properties: databricks-jdbc-2.x.x.jar where x.x should be >= 6.40Verify Fix Applied:
Verify the driver JAR file version is 2.6.40 or higher by checking file properties or using 'java -jar databricks-jdbc-*.jar --version' if supported.📡 Detection & Monitoring
Log Indicators:
- JDBC connection attempts with krbJAASFile parameter in URL
- Unexpected JNDI/LDAP lookups from JDBC driver process
Network Indicators:
- Outbound LDAP/RMI connections from systems using Databricks JDBC Driver
- Suspicious JDBC URL patterns in network logs
SIEM Query:
source="application_logs" AND "krbJAASFile" AND "jdbc:databricks"