{ "document": { "aggregate_severity": { "text": "Critical" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2022-21724: ensure arbitrary classes can't be passed instead of\n SocketFactory, SSLSocketFactory, CallbackHandler, HostnameVerifier\n- Restore testing from previous spec versions, exclude broken tests", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775033648", "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775033648" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/rhel8els/advisories/2026/clsa-2026_1775033648.json" } ], "tracking": { "current_release_date": "2026-04-01T08:54:36Z", "generator": { "date": "2026-04-01T08:54:36Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2026:1775033648", "initial_release_date": "2026-04-01T08:54:36Z", "revision_history": [ { "date": "2026-04-01T08:54:36Z", "number": "1", "summary": "Initial version" } ], "status": "final", "version": "1" }, "title": "postgresql-jdbc: Fix of CVE-2022-21724" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux 8", "product": { "name": "Red Hat Enterprise Linux 8", "product_id": "Red-Hat-8", "product_identification_helper": { "cpe": "cpe:2.3:o:redhat:enterprise_linux:8:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "postgresql-jdbc-0:42.2.14-3.el8_9.tuxcare.els1.noarch", "product": { "name": "postgresql-jdbc-0:42.2.14-3.el8_9.tuxcare.els1.noarch", "product_id": "postgresql-jdbc-0:42.2.14-3.el8_9.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-jdbc@42.2.14-3.el8_9.tuxcare.els1?arch=noarch" } } }, { "category": "product_version", "name": "postgresql-jdbc-javadoc-0:42.2.14-3.el8_9.tuxcare.els1.noarch", "product": { "name": "postgresql-jdbc-javadoc-0:42.2.14-3.el8_9.tuxcare.els1.noarch", "product_id": "postgresql-jdbc-javadoc-0:42.2.14-3.el8_9.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/postgresql-jdbc-javadoc@42.2.14-3.el8_9.tuxcare.els1?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "postgresql-jdbc-0:42.2.14-3.el8_9.tuxcare.els1.noarch as a component of Red Hat Enterprise Linux 8", "product_id": "Red-Hat-8:postgresql-jdbc-0:42.2.14-3.el8_9.tuxcare.els1.noarch" }, "product_reference": "postgresql-jdbc-0:42.2.14-3.el8_9.tuxcare.els1.noarch", "relates_to_product_reference": "Red-Hat-8" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql-jdbc-javadoc-0:42.2.14-3.el8_9.tuxcare.els1.noarch as a component of Red Hat Enterprise Linux 8", "product_id": "Red-Hat-8:postgresql-jdbc-javadoc-0:42.2.14-3.el8_9.tuxcare.els1.noarch" }, "product_reference": "postgresql-jdbc-javadoc-0:42.2.14-3.el8_9.tuxcare.els1.noarch", "relates_to_product_reference": "Red-Hat-8" } ] }, "vulnerabilities": [ { "cve": "CVE-2022-21724", "cwe": { "id": "CWE-665", "name": "Improper Initialization" }, "notes": [ { "category": "description", "text": "pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red-Hat-8:postgresql-jdbc-0:42.2.14-3.el8_9.tuxcare.els1.noarch", "Red-Hat-8:postgresql-jdbc-javadoc-0:42.2.14-3.el8_9.tuxcare.els1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2022-21724" }, { "category": "external", "summary": "https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813", "url": "https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813" }, { "category": "external", "summary": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4", "url": "https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html", "url": "https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20220311-0005/", "url": "https://security.netapp.com/advisory/ntap-20220311-0005/" }, { "category": "external", "summary": "https://www.debian.org/security/2022/dsa-5196", "url": "https://www.debian.org/security/2022/dsa-5196" } ], "release_date": "2022-02-02T12:15:00Z", "remediations": [ { "category": "vendor_fix", "date": "2026-04-01T08:54:10.958552Z", "details": "Details on how to apply the fix are available at: https://cve.tuxcare.com/els/releases/CLSA-2026:1775033648", "product_ids": [ "Red-Hat-8:postgresql-jdbc-0:42.2.14-3.el8_9.tuxcare.els1.noarch", "Red-Hat-8:postgresql-jdbc-javadoc-0:42.2.14-3.el8_9.tuxcare.els1.noarch" ], "url": "https://cve.tuxcare.com/els/releases/CLSA-2026:1775033648" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Red-Hat-8:postgresql-jdbc-0:42.2.14-3.el8_9.tuxcare.els1.noarch", "Red-Hat-8:postgresql-jdbc-javadoc-0:42.2.14-3.el8_9.tuxcare.els1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Critical" } ] } ] }