Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Amazon Redshift update. Show all posts

Trio of SQL Injection Vulnerabilities Found in Amazon Redshift Drivers: Update Now

Three severe SQL injection vulnerabilities have been identified in specific Amazon Redshift drivers, posing a significant risk of privilege escalation and data compromise. The vulnerabilities, labeled as CVE-2024-12744, CVE-2024-12745, and CVE-2024-12746, each hold a CVSS severity score of 8.0, emphasizing the need for immediate remediation.


These flaws impact particular versions of the Amazon Redshift JDBC Driver, Python Connector, and ODBC Driver, stemming from weaknesses in handling metadata API calls. Affected versions include:

  • Amazon Redshift JDBC Driver: Version 2.1.0.31
  • Amazon Redshift Python Connector: Version 2.1.4
  • Amazon Redshift ODBC Driver: Version 2.1.5.0 (Windows and Linux)
The vulnerabilities arise from improper handling of user-supplied input when interacting with Redshift’s metadata APIs. These APIs—designed to fetch database schema, table, and column information—were exploitable through specially crafted inputs, enabling attackers to insert malicious SQL code into server queries.

Attackers exploiting these flaws could gain elevated privileges, granting unauthorized access to sensitive data with the potential to modify or delete critical information.

Amazon Redshift has acted swiftly to mitigate these risks, releasing updated versions of the affected drivers:
  • Amazon Redshift JDBC Driver: Upgrade to version 2.1.0.32
  • Amazon Redshift Python Connector: Upgrade to version 2.1.5
  • Amazon Redshift ODBC Driver: Upgrade to version 2.1.6.0
The updated drivers include essential security enhancements that ensure metadata commands are transmitted as parameterized queries. This is achieved by using functions like QUOTE_IDENT(string) or QUOTE_LITERAL(string) to sanitize user input, effectively eliminating the SQL injection threat.

For users unable to update immediately, Amazon suggests temporarily reverting to the previous safe versions:

  • Amazon Redshift JDBC Driver: Version 2.1.0.30
  • Amazon Redshift Python Connector: Version 2.1.3
  • Amazon Redshift ODBC Driver: Version 2.1.4.0 (Windows and Linux)
Amazon emphasizes the importance of upgrading to the latest versions to ensure robust security against potential exploits.