CVE-2024-32888 (CVSS 10): SQLi Vulnerability Discovered in Amazon Redshift JDBC Driver

A critical SQL injection vulnerability (CVE-2024-32888) has been discovered in the Amazon JDBC Driver for Redshift, a widely-used tool for connecting Java applications to Amazon’s Redshift data warehouse service. The flaw, if exploited, could allow attackers to execute unauthorized commands on affected systems, potentially leading to data breaches, unauthorized access, or even complete system takeover.

The Vulnerability

The vulnerability arises when users configure the Redshift JDBC driver with a non-default setting called preferQueryMode=simple. In this mode, the driver becomes susceptible to SQL injection attacks if the application code includes poorly constructed queries that attempt to negate parameter values. Attackers can inject malicious SQL code into these vulnerable queries, manipulating the database’s behavior for their own gain.

Impact and Severity

The vulnerability carries a CVSS score of 10, the highest possible severity rating. This indicates the potential for widespread exploitation and significant impact on affected systems. Organizations that use the Redshift JDBC driver with the preferQueryMode=simple setting are particularly at risk.

Mitigation and Patch

Amazon has responded swiftly to this critical vulnerability by releasing a patch. The issue has been resolved in driver version 2.1.0.28. Users are strongly advised to upgrade to this latest version to mitigate the risk associated with CVE-2024-32888.

As a temporary workaround, users can simply avoid using the preferQueryMode=simple setting. By default, the driver uses the “extended query mode,” which is not affected by the vulnerability.