Snowflake JDBC Driver Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Snowflake JDBC driver, specifically in versions through 4.0.1. The issue arises in the SdkProxyRoutePlanner class, where the nonProxyHosts parameter can be manipulated to create inefficient regular expressions. This vulnerability leads to catastrophic backtracking and CPU exhaustion. The problem is triggered by supplying crafted nonProxyHosts values via the JDBC URL, which are then used in regular expression evaluations that can be exploited to cause significant performance degradation.

Impact

Exploitation of this vulnerability causes a spike in CPU usage, leading to denial-of-service conditions. The issue can be triggered locally through the JDBC URL by manipulating the nonProxyHosts parameter, causing the application to consume excessive CPU resources and potentially disrupt normal operations.

Reproduction

The vulnerability can be reproduced by using a crafted JDBC URL that includes a payload designed to exploit the regular expression handling of the nonProxyHosts parameter. This can be done by sending a request to a Snowflake account with the vulnerable JDBC driver version installed, using the crafted URL to trigger the denial-of-service condition.

Remediation

Users are advised to update to Snowflake JDBC version 4.0.1 or later, where this vulnerability has been fixed.