About CVE-2022-41828: AWS Redshift JDBC Driver, a secure class loading and verification mechanism is require. (29-09-2022)

Preface: This design weakness was fixed on earlier June 2022. As we know, there is no mandatory policy on vendor side when should be disclosed the vulnerability details. It all depends on vendor analysis and judgement. So, as a user we only take the action to do the patching.

Background: By default, Redshift stores data in a raw, uncompressed format, and you can choose whether to compress data. Each column within a table can use a different type of compression. It is possible to let Redshift automatically select encoding for column compression, or select it manually when creating a table.

Data Warehousing and Analytics Using Amazon Redshift
To access a Redshift data store using the Amazon Redshift JDBC Driver, you need to configure the following:

  • Referencing JDBC Driver Libraries
  • Registering the Driver Class
  • The connection URL for the driver

Vulnerability details: In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before 2.1.0.8, the Object Factory does not check the class type when instantiating an object from a class name.

Remedy: upgrade to 2.1.0.8

Official detail: Please refer to the link for details – https://github.com/aws/amazon-redshift-jdbc-driver/commit/40b143b4698faf90c788ffa89f2d4d8d2ad068b5

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.