Thread: Question about CVE-2022-21724

Question about CVE-2022-21724

From
Zuzana Miklankova
Date:
Hello,

I have a question regarding CVE-2022-21724 - Unchecked Class Instantiation
when providing Plugin Classes, fixed by [1].

The CVE describes that in affected versions the user can load the connection properties classes without checking first if the provided class implements the expected interface. The affected connection properties were the following ones:
authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback.

The related security advisory [2] mentions that the first affected version is REL9.4.1208, with an explanation saying that in this release the socketFactory property first appeared.

However, I have checked the REL9.2-1002 release, and even though socketFactory is not present as expected, there are still the sslhostnameverifier, sslfactory and sslpasswordcallback connection properties available for a user to define.

Classes from these properties are loaded with 'instantiate' method too, without checking if they implement the required interface.

How come, that only the socketFactory has an effect on the CVE presence, so that the first affected version is REL9.4.1208?


Thanks,
Zuzana

[1] https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813
[2] https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4