DataEase Redshift JDBC Driver Remote Code Execution Vulnerability

A remote code execution vulnerability exists in DataEase versions prior to 2.10.20, specifically within the Redshift JDBC driver integration. The issue arises because the IniFile parameter is not properly validated, allowing attackers to load malicious configuration files that inject harmful JDBC properties. This exploitation takes advantage of the JDBC driver's automatic file discovery mechanism, ultimately leading to unauthorized code execution.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where DataEase is running.

Reproduction

To reproduce this vulnerability, upload a malicious configuration file, such as one named 'ini.txt', to a location accessible by the server. This file should contain JDBC properties that can be exploited, such as those targeting Spring's FileSystemXmlApplicationContext to load a remote XML file for code execution. Once the file is in place, use the DataEase datasource validation interface to send a JDBC URL that includes the path to the malicious ini.txt file via the IniFile parameter. This request will trigger the vulnerability by loading the injected properties from the specified configuration file, leading to remote code execution.

Remediation

Users are advised to upgrade to DataEase version 2.10.20, where this vulnerability has been fixed.