Impacted versions
-
Debezium Postgres Source Connector:
- Any previous versions < 1.9.6
- Any previous versions < 2.4.2
- JDBC Source Connector: Any previous versions < 10.7.6
Recommended action
-
Upgrade to the following connector versions:
- Debezium Postgres Source Connector >= version 2.4.2
- JDBC Source Connector >= version 10.7.6
- Please note that the impacted managed connectors in Confluent Cloud have been fixed already. No security impact was observed. No further action is necessary for Confluent Cloud customers.
Issue
A security issue was identified with potential to impact both self-managed and Confluent Cloud managed connectors due to their reliance on vulnerable versions of the library org.postgresql:postgresql that are affected by CVE-2024-1597. SQL injection may be possible when using the non-default connection property preferQueryMode=simple in combination with the application code that has a vulnerable SQL that negates a parameter value. There is no impact if the configured driver is using the default query mode. To exploit this behaviour the following conditions must be met:
- A placeholder for a numeric value must be immediately preceded by a minus (i.e. -)
- There must be a second placeholder for a string value after the first placeholder on the same line.
- Both parameters must be user controllable.
Self-managed Connect users are impacted only if the vulnerable source connector versions noted in the section above are installed. To mount a successful attack, an adversary would also require elevated privileges to create/update the vulnerable connector configurations.
Confluent Cloud managed connector versions were also identified to be vulnerable to CVE-2024-1597. However, no security impact managed Connect clusters was observed due to this vulnerability. The affected connectors have since been upgraded with the appropriate fix and no further actions are necessary.
Remediation
Self-Managed Connectors:
This issue is resolved in the updated connector versions for use with Confluent Platform:
-
Debezium Postgres Source
- >= version 2.4.2
- >= version 1.9.6
-
JDBC Source
- >= version 2.1.9
Confluent Cloud:
Managed Debezium and JDBC connector versions in Confluent Cloud were already patched to address this issue. No further action is necessary.