Preface: This design weakness was fixed on earlier June 2022. As we know, there is no mandatory policy on vendor side when should be disclosed the vulnerability details. It all depends on vendor analysis and judgement. So, as a user we only take the action to do the patching.
Background: By default, Redshift stores data in a raw, uncompressed format, and you can choose whether to compress data. Each column within a table can use a different type of compression. It is possible to let Redshift automatically select encoding for column compression, or select it manually when creating a table.
Data Warehousing and Analytics Using Amazon Redshift
To access a Redshift data store using the Amazon Redshift JDBC Driver, you need to configure the following:
- Referencing JDBC Driver Libraries
- Registering the Driver Class
- The connection URL for the driver
Vulnerability details: In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before 22.214.171.124, the Object Factory does not check the class type when instantiating an object from a class name.
Remedy: upgrade to 126.96.36.199
Official detail: Please refer to the link for details – https://github.com/aws/amazon-redshift-jdbc-driver/commit/40b143b4698faf90c788ffa89f2d4d8d2ad068b5