CVE-2022-41828

Name of the Vulnerable Software and Affected Versions Amazon AWS Redshift JDBC Driver versions prior to 2.1.0.8

Description The Object Factory in the Amazon AWS Redshift JDBC Driver does not check the class type when instantiating an object from a class name. This issue can lead to a potential remote command execution problem when plugins are used with the driver. The driver instantiates plugin instances based on Java class names provided via the sslhostnameverifier, socketFactory, sslfactory, and sslpasswordcallback connection properties without verifying if a plugin class implements the expected interface before instantiation. This can allow a knowledgeable attacker with control over the JDBC URL to load arbitrary Java classes and achieve remote code execution.

Recommendations To resolve the issue, upgrade to Amazon AWS Redshift JDBC Driver version 2.1.0.8 or above. There are no known workarounds for this issue, so upgrading to the patched version is the recommended course of action. If you are using plugins with the driver, it is especially important to upgrade to version 2.1.0.8 or above to prevent potential remote code execution.