Backwards incompatible change in the postgresql-jdbc updates to fix CVE-2020-13692
Introduction
The postgresql-jdbc
packages provide the PostgreSQL JDBC driver (PgJDBC for short), an implementation of the Java Database Connectivity (JDBC) API that allows Java programs to connect to a PostgreSQL database using standard, database independent Java code.
The PgSQLXML class provides an implementation of the java.sql.SQLXML interface for accessing XML values stored in database tables.
An XML eXternal Entity (XXE) flaw was discovered in the PgSQLXML implementation that is known as CVE-2020-13692. This flaw could possibly allow disclosure of confidential data (such as content of local files), denial of service, server side request forgery (SSRF), or other impacts, if specially crafted XML documents are processed by PgSQLXML.
Description of problem
In order to fix the CVE-2020-13692 issue, the PgSQLXML implementation in postgresql-jdbc
was modified to disable loading of external entities and document type definitions (DTD) by default. This change may introduce a regression in environments that rely on processing of external entities or DTDs.
Resolution
For environments that require processing of external entities or DTDs, it is possible to configured PgSQLXML to use the previous behaviour and perform loading of external objects. This legacy behaviour can be enabled for each database connection by setting the xmlFactoryFactory
property to the value of LEGACY_INSECURE
.
Note: This setting enables processing of external entities and DTDs and therefore re-introduces the CVE-2020-13692 issue. It should only be used when XML documents stored in a database and processed using the PgSQLXML are fully trusted.
The following example demonstrates how to create a PgJDBC database connection with the legacy insecure behaviour by setting the xmlFactoryFactory
to the value of LEGACY_INSECURE
.
public Connection connect() {
Connection conn = null;
Properties props = new Properties();
props.setProperty("user", "postgres");
props.setProperty("password", "test");
props.setProperty("xmlFactoryFactory", "LEGACY_INSECURE");
try {
conn = DriverManager.getConnection(url, props);
System.out.println("Connected to the PostgreSQL server successfully.");
} catch (SQLException e) {
System.out.println(e.getMessage());
}
return conn;
}
Alternatively, the xmlFactoryFactory
property can be set to a name of a custom class that implements org.postgresql.xml.PGXmlFactoryFactory
interface. This class can be used to create instances of factories for creating objects for XML processing with custom configuration for handling of external entities and DTDs.
Comments