PostgreSQL JDBC Driver Client-Side Denial-of-Service Vulnerability During SCRAM-SHA-256 Authentication

A client-side denial-of-service vulnerability has been identified in the PostgreSQL JDBC driver (pgjdbc) versions 42.2.0 prior to 42.7.11. The issue arises during SCRAM-SHA-256 authentication, where a malicious server can send a very large iteration count. This causes the client to use an unbounded amount of CPU time processing the PBKDF2 computation, tying up a CPU core with each authentication attempt. Repeated or concurrent attempts can exhaust client CPU resources and disrupt connection pools. In the affected versions, the 'loginTimeout' parameter did not effectively mitigate the issue, as it could stop the waiting process but not the ongoing CPU-intensive computation. The vulnerability does not bypass authentication, escalate privileges, or directly disclose passwords.

Impact

Exploitation of this vulnerability leads to significant CPU exhaustion on the client side, causing a denial-of-service condition that can disrupt normal application operations and wedge connection pools.

Remediation

Users can upgrade to pgjdbc version 42.7.11 or later, which patches the vulnerability by introducing a 'scramMaxIterations' connection property to limit the number of PBKDF2 iterations accepted from the server. Until the upgrade is applied, it is recommended to connect only to trusted PostgreSQL servers, verify server identity with TLS, and avoid relying solely on 'loginTimeout' as a mitigation measure.