Postgresql connector pgjdbc CVE-2022-21724
53 views
Skip to first unread message
Philippe JOVET (EXT)
Jul 11, 2022, 8:52:24 AM7/11/22
to rundeck-discuss
Hello,
rundeck 4.3.1 running on a Oracle Linux 7..9 (RedHat like)
Database: embedded Amazon RDS PostgreSQL13.6
I'm using the Postgresql connector pgjdbc to connect the rundeck BDD with this line in /etc/rundeck/log4j.properties
dataSource.url = jdbc:postgresql://xxxx.yyyyyyyy4.eu-west-1.rds.amazonaws.com/rundeck?autoReconnect=true
So, I'm trying to check this CVE:
But I don't find how to check the pgjdbc Embedded in rundeck.
Somebody have an idea?
Best regards
rac...@rundeck.com
Jul 11, 2022, 10:04:44 AM7/11/22
to rundeck-discuss
Hi Philippe,
Uncompressing the war file you can found the postgresql-42.3.3.jar file at rundeck-4.3.1-20220615/WEB-INF/lib path. Checking the CVE, the affected versions are 42.3.0, 42.3.2, and 42.2.25.
Regards!
Philippe JOVET (EXT)
Jul 13, 2022, 12:06:01 PM7/13/22
to rundeck-discuss
Hello,
thanks, what I found:
Implementation-Title: PostgreSQL JDBC Driver - JDBC 4.2
Implementation-Vendor: PostgreSQL Global Development Group
Implementation-Vendor-Id: org.postgresql
Implementation-Version: 9.4.1212
Implementation-Vendor: PostgreSQL Global Development Group
Implementation-Vendor-Id: org.postgresql
Implementation-Version: 9.4.1212
seems a very old version, do you think it is impacted by this CVE?
Do you know the precedure if I want to update it, the rundeck doc is not clear about this.
What I have today:
ll /var/lib/rundeck/exp/webapp/WEB-INF/lib/
total 1196
-rw-r--r-- 1 rundeck rundeck 539705 Jan 20 2015 postgresql-9.1-901.jdbc4.jar.old
-rw-r--r-- 1 rundeck rundeck 680445 Apr 20 2017 postgresql-9.4.1212.jar
total 1196
-rw-r--r-- 1 rundeck rundeck 539705 Jan 20 2015 postgresql-9.1-901.jdbc4.jar.old
-rw-r--r-- 1 rundeck rundeck 680445 Apr 20 2017 postgresql-9.4.1212.jar
Best regards
rac...@rundeck.com
Jul 13, 2022, 12:36:57 PM7/13/22
to rundeck-discuss
Philippe JOVET (EXT)
Jul 21, 2022, 4:31:32 AM7/21/22
to rundeck-discuss
Hello, found!
zipinfo /var/lib/rundeck/bootstrap/rundeck-4.3.1-20220615.war |grep -i postgresql
-rw-r--r-- 2.0 unx 1039047 b- stor 22-May-05 20:09 WEB-INF/lib/postgresql-42.3.3.jar
CVE: cpe:2.3:a:postgresql:postgresql_jdbc_driver:::::::: Show Matching CPE(s) From (including) 42.3.0 Up to (excluding) 42.3.2
42.3.3 > 42.3.2
= OK
Thanks a lot!
On Monday, July 11, 2022 at 4:04:44 PM UTC+2 rac...@rundeck.com wrote:
Reply all
Reply to author
Forward
0 new messages