Progress DataDirect JDBC Drivers SpyAttributes Connection Option Remote Code Inclusion Vulnerability

A remote code inclusion vulnerability has been identified in Progress DataDirect Connect for JDBC drivers, as well as the DataDirect Hybrid Data Pipeline JDBC driver and the DataDirect OpenAccess JDBC driver. This vulnerability arises from the SpyAttributes connection option, which supports an undocumented syntax that can be exploited to load and execute arbitrary classes from the class path. Applications that allow users to specify connection strings without proper validation or that neglect to restrict the SpyAttributes option are vulnerable.

Impact

Exploitation of this vulnerability allows for remote code execution by loading arbitrary classes and executing their constructors via the JDBC connection string.

Remediation

Users are advised to upgrade to the latest versions of the affected JDBC drivers. Instructions for downloading and installing the updated versions are available on the Progress Community portal. Customers who cannot upgrade immediately can disable the Spy logging feature in their application as a temporary measure.