CVE-2022-21724 Overview
CVE-2022-21724 is an Insecure Deserialization vulnerability in pgjdbc, the official PostgreSQL JDBC Driver. The driver instantiates plugin instances based on class names provided via several connection properties including authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, and sslpasswordcallback. However, the driver failed to verify whether the specified class implements the expected interface before instantiation. This vulnerability allows attackers who control the JDBC URL or connection properties to achieve arbitrary code execution by loading and instantiating malicious classes.
Critical Impact
Attackers with control over JDBC connection URLs or properties can achieve remote code execution by instantiating arbitrary classes, potentially leading to complete system compromise.
Affected Products
- PostgreSQL JDBC Driver (pgjdbc) versions prior to 42.2.25 and 42.3.2
- Fedora 35
- Quarkus (affected versions)
- Debian Linux 9.0, 10.0, 11.0
Discovery Timeline
- 2022-02-02 - CVE-2022-21724 published to NVD
- 2025-05-05 - Last updated in NVD database
Technical Details for CVE-2022-21724
Vulnerability Analysis
The vulnerability resides in the improper initialization of plugin classes within the PostgreSQL JDBC driver. When establishing a database connection, pgjdbc allows users to specify custom implementations for various security-related components through connection properties. The affected properties include authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, and sslpasswordcallback.
The core issue stems from the ObjectFactory.instantiate() method which accepted any class name and instantiated it without validating that the class implements the required interface. An attacker who can control these connection properties—either through direct JDBC URL manipulation or by influencing application configuration—can specify arbitrary class names. When the driver instantiates these classes, it triggers their constructors, enabling code execution with the privileges of the application.
This represents a classic Unsafe Reflection vulnerability pattern (CWE-665: Improper Initialization), where inadequate type checking during dynamic class loading creates an exploitation path.
Root Cause
The root cause is the missing type validation in the ObjectFactory.instantiate() method. The original implementation used a simple cast to the expected interface type after instantiation, rather than validating the class type beforehand. This means any class on the classpath could be instantiated through the vulnerable connection properties, regardless of whether it implemented the expected interface such as SocketFactory or AuthenticationPlugin.
Attack Vector
This network-based attack requires the attacker to control the JDBC connection URL or connection properties. Attack scenarios include:
- Malicious Configuration Injection: If an application reads JDBC connection strings from user-controlled input, configuration files, or environment variables that attackers can manipulate
- Supply Chain Attacks: Compromised configuration management systems or deployment pipelines that inject malicious connection parameters
- Internal Network Attacks: Attackers with access to internal systems modifying database connection configurations
The fix implemented in the security patch adds explicit type checking by passing the expected class type to the ObjectFactory.instantiate() method:
// Before (vulnerable)
return (SocketFactory) ObjectFactory.instantiate(socketFactoryClassName, info, true,
PGProperty.SOCKET_FACTORY_ARG.get(info));
// After (patched)
return ObjectFactory.instantiate(SocketFactory.class, socketFactoryClassName, info, true,
PGProperty.SOCKET_FACTORY_ARG.get(info));
Source: GitHub Commit
Similarly, the AuthenticationPluginManager.java was patched to include proper type validation:
// Before (vulnerable)
authPlugin = (AuthenticationPlugin) ObjectFactory.instantiate(authPluginClassName, info,
false, null);
// After (patched)
authPlugin = ObjectFactory.instantiate(AuthenticationPlugin.class, authPluginClassName, info,
false, null);
Source: GitHub Commit
Detection Methods for CVE-2022-21724
Indicators of Compromise
- Unusual JDBC connection strings containing suspicious class names in authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, or sslpasswordcallback properties
- Unexpected class loading activity from the PostgreSQL JDBC driver process
- Application logs showing instantiation errors with unexpected class names or PSQLState.INVALID_PARAMETER_VALUE errors
- Process execution or network connections originating from Java applications using pgjdbc that don't match normal behavior
Detection Strategies
- Implement application-layer monitoring for JDBC connection string modifications and validate against an allowlist of expected connection parameters
- Deploy runtime application self-protection (RASP) solutions to detect and block arbitrary class instantiation attempts
- Configure SentinelOne agents to monitor Java applications for suspicious class loading behavior and unexpected process spawning
- Audit configuration management systems and deployment pipelines for unauthorized changes to database connection settings
Monitoring Recommendations
- Enable verbose logging for JDBC driver initialization to capture connection property values and class instantiation attempts
- Implement centralized logging and alerting for database connection configuration changes across all environments
- Monitor application classpath for unexpected or malicious JAR files that could be loaded through this vulnerability
How to Mitigate CVE-2022-21724
Immediate Actions Required
- Upgrade PostgreSQL JDBC Driver to version 42.2.25 or later (for 42.2.x branch) or 42.3.2 or later (for 42.3.x branch)
- Audit all applications using pgjdbc to identify instances where JDBC connection strings may be influenced by untrusted input
- Implement strict input validation for any user-controlled database connection parameters
- Review and restrict access to configuration files and environment variables containing database connection strings
Patch Information
The vulnerability has been addressed in commit f4d0ed69c0b3aae8531d83d6af4c57f22312c813 which adds proper type validation before class instantiation. The fix ensures that classes specified in plugin connection properties actually implement the expected interfaces. Additional security advisories have been released by Debian, Fedora, and NetApp.
Workarounds
- There are no known workarounds for this vulnerability according to the official advisory; upgrading is strongly recommended
- As a defense-in-depth measure, ensure JDBC connection strings are never constructed from untrusted user input
- Implement network segmentation to limit exposure of applications using vulnerable pgjdbc versions
- Consider using connection pooling solutions that validate connection parameters before passing them to the driver
# Verify installed pgjdbc version in Maven projects
mvn dependency:tree | grep postgresql
# Update pgjdbc in Maven pom.xml to patched version
# For 42.2.x branch, use 42.2.25 or later
# For 42.3.x branch, use 42.3.2 or later
mvn versions:use-latest-versions -Dincludes=org.postgresql:postgresql
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
