Summary: A series of SQL injection vulnerabilities in Amazon Redshift drivers could allow attackers to escalate privileges and compromise sensitive data. Immediate action is required to mitigate these high-severity flaws.
Threat Actor: Unknown | unknown
Victim: Amazon Redshift | Amazon Redshift
Key Point :
- Three SQL injection vulnerabilities tracked as CVE-2024-12744, CVE-2024-12745, and CVE-2024-12746 have been identified.
- The vulnerabilities affect specific versions of the Amazon Redshift JDBC Driver, Python Connector, and ODBC Driver.
- Attackers could exploit these flaws to inject SQL code, potentially gaining escalated privileges and access to sensitive data.
- Amazon has released patched versions of the affected drivers to address these vulnerabilities.
- For those unable to upgrade immediately, reverting to previous unaffected driver versions is recommended as a temporary solution.
A trio of SQL injection vulnerabilities has been discovered in various Amazon Redshift drivers, potentially allowing attackers to escalate privileges and wreak havoc on your data. The vulnerabilities, tracked as CVE-2024-12744, CVE-2024-12745, and CVE-2024-12746, all carry a high severity CVSS score of 8.0, underscoring the urgency for immediate action.
These flaws affect specific versions of the Amazon Redshift JDBC Driver, Python Connector, and ODBC Driver, highlighting a common weakness in how these tools handle metadata API calls. The vulnerable versions are:
- Amazon Redshift JDBC Driver: Version 2.1.0.31
- Amazon Redshift Python Connector: Version 2.1.4
- Amazon Redshift ODBC Driver: Version 2.1.5.0 (Windows and Linux)
The core issue lies in how these affected driver versions handle user-supplied input when interacting with Redshiftβs metadata APIs. These APIs, used to retrieve information about database schemas, tables, and columns (getSchemas, getTables, getColumns for JDBC and Python, and SQLTables, SQLColumns for ODBC), were susceptible to SQL injection attacks.
In essence, a malicious actor could craft specially designed input that, when processed by these vulnerable APIs, would allow them to inject their own SQL code into the queries sent to the Redshift server. This could potentially grant them escalated privileges, enabling them to access, modify, or even delete sensitive data.
The Amazon Redshift team has swiftly addressed these vulnerabilities by releasing patched versions for each affected driver:
- Amazon Redshift JDBC Driver: Upgrade to version 2.1.0.32
- Amazon Redshift Python Connector: Upgrade to version 2.1.5
- Amazon Redshift ODBC Driver: Upgrade to version 2.1.6.0
The patches implement a crucial security enhancement: all metadata command inputs are now sent to the Redshift server as part of parameterized queries. This involves using either QUOTE_IDENT(string) or QUOTE_LITERAL(string) to properly escape user-supplied input, effectively neutralizing the SQL injection threat. The command is then safely built and executed on the server.
If immediate upgrading is not feasible, Amazon recommends reverting to the previous, unaffected versions of each driver as a temporary workaround:
- Amazon Redshift JDBC Driver: Revert to version 2.1.0.30
- Amazon Redshift Python Connector: Revert to version 2.1.3
- Amazon Redshift ODBC Driver: Revert to version 2.1.4.0 (Windows or Linux)