Progress DataDirect JDBC Drivers and Components Remote Code Inclusion Vulnerability

A code injection vulnerability allowing remote code inclusion has been identified in multiple Progress DataDirect JDBC drivers and components, including the DataDirect OpenAccess JDBC driver, the DataDirect Hybrid Data Pipeline JDBC driver, and the DataDirect Hybrid Data Pipeline server. This vulnerability arises from the SpyAttribute connection option, which allows users to specify arbitrary log file destinations. If an application permits end users to customize this option, an attacker could inject JavaScript into a log file. Depending on the log file's location and extension, an application server might serve it as a resource, enabling the execution of the injected JavaScript. This issue affects several versions across different DataDirect products, with specific fixed versions available.

Impact

Exploitation of this vulnerability could lead to remote code execution by allowing an attacker to inject and execute malicious code on the server where the application is running.

Remediation

Users are advised to upgrade to the latest versions of the affected JDBC drivers or components. Instructions for downloading and installing the updated versions are available on the Progress Community website. Customers who cannot upgrade immediately can temporarily disable the Spy logging feature until they are able to perform the update.