Backwards incompatible change in the postgresql-jdbc updates to fix CVE-2020-13692

Updated -

Introduction

The postgresql-jdbc packages provide the PostgreSQL JDBC driver (PgJDBC for short), an implementation of the Java Database Connectivity (JDBC) API that allows Java programs to connect to a PostgreSQL database using standard, database independent Java code.

The PgSQLXML class provides an implementation of the java.sql.SQLXML interface for accessing XML values stored in database tables.

An XML eXternal Entity (XXE) flaw was discovered in the PgSQLXML implementation that is known as CVE-2020-13692. This flaw could possibly allow disclosure of confidential data (such as content of local files), denial of service, server side request forgery (SSRF), or other impacts, if specially crafted XML documents are processed by PgSQLXML.

Description of problem

In order to fix the CVE-2020-13692 issue, the PgSQLXML implementation in postgresql-jdbc was modified to disable loading of external entities and document type definitions (DTD) by default. This change may introduce a regression in environments that rely on processing of external entities or DTDs.

Resolution

For environments that require processing of external entities or DTDs, it is possible to configured PgSQLXML to use the previous behaviour and perform loading of external objects. This legacy behaviour can be enabled for each database connection by setting the xmlFactoryFactory property to the value of LEGACY_INSECURE.

Note: This setting enables processing of external entities and DTDs and therefore re-introduces the CVE-2020-13692 issue. It should only be used when XML documents stored in a database and processed using the PgSQLXML are fully trusted.

The following example demonstrates how to create a PgJDBC database connection with the legacy insecure behaviour by setting the xmlFactoryFactory to the value of LEGACY_INSECURE.

public Connection connect() {
        Connection conn = null;
        Properties props = new Properties();
        props.setProperty("user", "postgres");
        props.setProperty("password", "test");
        props.setProperty("xmlFactoryFactory", "LEGACY_INSECURE");
        try {
            conn = DriverManager.getConnection(url, props);
            System.out.println("Connected to the PostgreSQL server successfully.");
        } catch (SQLException e) {
            System.out.println(e.getMessage());
        }
        return conn;
    }

Alternatively, the xmlFactoryFactory property can be set to a name of a custom class that implements org.postgresql.xml.PGXmlFactoryFactory interface. This class can be used to create instances of factories for creating objects for XML processing with custom configuration for handling of external entities and DTDs.

Comments