Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-21724

CVE-2022-21724: PostgreSQL JDBC Driver RCE Vulnerability

CVE-2022-21724 is a remote code execution vulnerability in PostgreSQL JDBC Driver allowing attackers to execute arbitrary code via malicious class instantiation. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2022-21724 Overview

CVE-2022-21724 is an Insecure Deserialization vulnerability in pgjdbc, the official PostgreSQL JDBC Driver. The driver instantiates plugin instances based on class names provided via several connection properties including authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, and sslpasswordcallback. However, the driver failed to verify whether the specified class implements the expected interface before instantiation. This vulnerability allows attackers who control the JDBC URL or connection properties to achieve arbitrary code execution by loading and instantiating malicious classes.

Critical Impact

Attackers with control over JDBC connection URLs or properties can achieve remote code execution by instantiating arbitrary classes, potentially leading to complete system compromise.

Affected Products

  • PostgreSQL JDBC Driver (pgjdbc) versions prior to 42.2.25 and 42.3.2
  • Fedora 35
  • Quarkus (affected versions)
  • Debian Linux 9.0, 10.0, 11.0

Discovery Timeline

  • 2022-02-02 - CVE-2022-21724 published to NVD
  • 2025-05-05 - Last updated in NVD database

Technical Details for CVE-2022-21724

Vulnerability Analysis

The vulnerability resides in the improper initialization of plugin classes within the PostgreSQL JDBC driver. When establishing a database connection, pgjdbc allows users to specify custom implementations for various security-related components through connection properties. The affected properties include authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, and sslpasswordcallback.

The core issue stems from the ObjectFactory.instantiate() method which accepted any class name and instantiated it without validating that the class implements the required interface. An attacker who can control these connection properties—either through direct JDBC URL manipulation or by influencing application configuration—can specify arbitrary class names. When the driver instantiates these classes, it triggers their constructors, enabling code execution with the privileges of the application.

This represents a classic Unsafe Reflection vulnerability pattern (CWE-665: Improper Initialization), where inadequate type checking during dynamic class loading creates an exploitation path.

Root Cause

The root cause is the missing type validation in the ObjectFactory.instantiate() method. The original implementation used a simple cast to the expected interface type after instantiation, rather than validating the class type beforehand. This means any class on the classpath could be instantiated through the vulnerable connection properties, regardless of whether it implemented the expected interface such as SocketFactory or AuthenticationPlugin.

Attack Vector

This network-based attack requires the attacker to control the JDBC connection URL or connection properties. Attack scenarios include:

  1. Malicious Configuration Injection: If an application reads JDBC connection strings from user-controlled input, configuration files, or environment variables that attackers can manipulate
  2. Supply Chain Attacks: Compromised configuration management systems or deployment pipelines that inject malicious connection parameters
  3. Internal Network Attacks: Attackers with access to internal systems modifying database connection configurations

The fix implemented in the security patch adds explicit type checking by passing the expected class type to the ObjectFactory.instantiate() method:

java
// Before (vulnerable)
return (SocketFactory) ObjectFactory.instantiate(socketFactoryClassName, info, true,
    PGProperty.SOCKET_FACTORY_ARG.get(info));

// After (patched)
return ObjectFactory.instantiate(SocketFactory.class, socketFactoryClassName, info, true,
    PGProperty.SOCKET_FACTORY_ARG.get(info));

Source: GitHub Commit

Similarly, the AuthenticationPluginManager.java was patched to include proper type validation:

java
// Before (vulnerable)
authPlugin = (AuthenticationPlugin) ObjectFactory.instantiate(authPluginClassName, info,
    false, null);

// After (patched)
authPlugin = ObjectFactory.instantiate(AuthenticationPlugin.class, authPluginClassName, info,
    false, null);

Source: GitHub Commit

Detection Methods for CVE-2022-21724

Indicators of Compromise

  • Unusual JDBC connection strings containing suspicious class names in authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, or sslpasswordcallback properties
  • Unexpected class loading activity from the PostgreSQL JDBC driver process
  • Application logs showing instantiation errors with unexpected class names or PSQLState.INVALID_PARAMETER_VALUE errors
  • Process execution or network connections originating from Java applications using pgjdbc that don't match normal behavior

Detection Strategies

  • Implement application-layer monitoring for JDBC connection string modifications and validate against an allowlist of expected connection parameters
  • Deploy runtime application self-protection (RASP) solutions to detect and block arbitrary class instantiation attempts
  • Configure SentinelOne agents to monitor Java applications for suspicious class loading behavior and unexpected process spawning
  • Audit configuration management systems and deployment pipelines for unauthorized changes to database connection settings

Monitoring Recommendations

  • Enable verbose logging for JDBC driver initialization to capture connection property values and class instantiation attempts
  • Implement centralized logging and alerting for database connection configuration changes across all environments
  • Monitor application classpath for unexpected or malicious JAR files that could be loaded through this vulnerability

How to Mitigate CVE-2022-21724

Immediate Actions Required

  • Upgrade PostgreSQL JDBC Driver to version 42.2.25 or later (for 42.2.x branch) or 42.3.2 or later (for 42.3.x branch)
  • Audit all applications using pgjdbc to identify instances where JDBC connection strings may be influenced by untrusted input
  • Implement strict input validation for any user-controlled database connection parameters
  • Review and restrict access to configuration files and environment variables containing database connection strings

Patch Information

The vulnerability has been addressed in commit f4d0ed69c0b3aae8531d83d6af4c57f22312c813 which adds proper type validation before class instantiation. The fix ensures that classes specified in plugin connection properties actually implement the expected interfaces. Additional security advisories have been released by Debian, Fedora, and NetApp.

Workarounds

  • There are no known workarounds for this vulnerability according to the official advisory; upgrading is strongly recommended
  • As a defense-in-depth measure, ensure JDBC connection strings are never constructed from untrusted user input
  • Implement network segmentation to limit exposure of applications using vulnerable pgjdbc versions
  • Consider using connection pooling solutions that validate connection parameters before passing them to the driver
bash
# Verify installed pgjdbc version in Maven projects
mvn dependency:tree | grep postgresql

# Update pgjdbc in Maven pom.xml to patched version
# For 42.2.x branch, use 42.2.25 or later
# For 42.3.x branch, use 42.3.2 or later
mvn versions:use-latest-versions -Dincludes=org.postgresql:postgresql

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne