This article was originally published on February 26, 2024
WHAT’S NEW
An important software update has been released to address a critical security advisory in the JDBC (Java Database Connectivity) driver for Postgres, which enables Java applications to interact with PostgreSQL and EDB Postgres Extended (PGE) Server. EDB JDBC Drivers for EDB Postgres Advanced Server (EPAS), which are based on the upstream community driver, are also affected, and updates to address the vulnerability are now available in EDB software repositories.
The PostgreSQL JDBC Driver needs to be upgraded to version 42.7.2 or later, and the EDB JDBC Connector needs to be upgraded to 42.5.4.2 or later.
Highlight of this release include:
Type |
Highlight |
Security |
CVE-2024-1597 is addressed with this software update. As outlined in the Security Advisory, SQL injection is possible when using a non-default connection property (preferQueryMode=simple) along with application code that has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default query mode. |
TELL ME MORE
Please see the security advisory from the PostgreSQL JDBC Driver community for more details.
IS THIS ANNOUNCEMENT FOR ME?
This announcement is for all EDB customers using Java to communicate with PostgreSQL, EDB Postgres Extended (PGE) Server, and EDB Postgres Advanced Server (EPAS).
HOW TO GET THE SOFTWARE AND APPLY IT
Updated EDB JDBC Drivers are available in EDB Repos in the form of RPM and DEB native packages. They are also packaged and delivered as interactive installers available on the EDB Downloads site.
Updated JDBC drivers for PostgreSQL are available on PostgreSQL Global Development Group (PGDG) maintained repositories (yum.postgresql.org and apt.postgresql.org). Updated JDBC drivers for PostgreSQL are also available from the community for direct download at https://jdbc.postgresql.org/download/.
See your account details for EDB repository credentials. See account registration to create a new account
TROUBLESHOOTING
If you experience any problems around the installation, migration, upgrade or general use of your EDB software please contact our Technical Support teams.
Customers may reach us at the EDB Customer Support Portal, and we’re also available 24x7 via email and phone at the details below:
techsupport@enterprisedb.com
trial-help@enterprisedb.com
US +1-732-331-1320 / 1-800-235-5891
UK +44-2033719820
Brazil +55-2139581371
India +91-20-66449612