Amazon Redshift JDBC Driver Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the Amazon Redshift JDBC Driver in versions prior to 2.2.2. The issue arises because the driver can load and execute arbitrary classes by processing certain JDBC connection URL parameters. An actor who can modify the connection URL could potentially execute code within the application's context, provided that a suitable class is available on the classpath.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution in the application's JVM process. This could allow an actor to read sensitive data, modify the application state, or disrupt service availability, all with the privileges of the application process.

Remediation

Users are advised to upgrade to version 2.2.2 or later. Instructions for downloading the latest version are available on the Amazon Redshift JDBC Driver GitHub Releases page.