Trio of SQL Injection Flaws Strike Amazon Redshift Drivers: Patch Immediately

CVE-2024-12744, CVE-2024-12745, and CVE-2024-12746

A trio of SQL injection vulnerabilities has been discovered in various Amazon Redshift drivers, potentially allowing attackers to escalate privileges and wreak havoc on your data. The vulnerabilities, tracked as CVE-2024-12744, CVE-2024-12745, and CVE-2024-12746, all carry a high severity CVSS score of 8.0, underscoring the urgency for immediate action.

These flaws affect specific versions of the Amazon Redshift JDBC Driver, Python Connector, and ODBC Driver, highlighting a common weakness in how these tools handle metadata API calls. The vulnerable versions are:

  • Amazon Redshift JDBC Driver: Version 2.1.0.31
  • Amazon Redshift Python Connector: Version 2.1.4
  • Amazon Redshift ODBC Driver: Version 2.1.5.0 (Windows and Linux)

The core issue lies in how these affected driver versions handle user-supplied input when interacting with Redshift’s metadata APIs. These APIs, used to retrieve information about database schemas, tables, and columns (getSchemas, getTables, getColumns for JDBC and Python, and SQLTables, SQLColumns for ODBC), were susceptible to SQL injection attacks.

In essence, a malicious actor could craft specially designed input that, when processed by these vulnerable APIs, would allow them to inject their own SQL code into the queries sent to the Redshift server. This could potentially grant them escalated privileges, enabling them to access, modify, or even delete sensitive data.

The Amazon Redshift team has swiftly addressed these vulnerabilities by releasing patched versions for each affected driver:

  • Amazon Redshift JDBC Driver: Upgrade to version 2.1.0.32
  • Amazon Redshift Python Connector: Upgrade to version 2.1.5
  • Amazon Redshift ODBC Driver: Upgrade to version 2.1.6.0

The patches implement a crucial security enhancement: all metadata command inputs are now sent to the Redshift server as part of parameterized queries. This involves using either QUOTE_IDENT(string) or QUOTE_LITERAL(string) to properly escape user-supplied input, effectively neutralizing the SQL injection threat. The command is then safely built and executed on the server.

If immediate upgrading is not feasible, Amazon recommends reverting to the previous, unaffected versions of each driver as a temporary workaround:

  • Amazon Redshift JDBC Driver: Revert to version 2.1.0.30
  • Amazon Redshift Python Connector: Revert to version 2.1.3
  • Amazon Redshift ODBC Driver: Revert to version 2.1.4.0 (Windows or Linux)

Related Posts: