Advertisements
A critical vulnerability has been identified that affects the Databricks JDBC Driver. This vulnerability allows for remote code execution (RCE) through a JNDI injection exploit using a malicious JDBC URL parameter, specifically exploiting the krbJAASFile parameter.
In-Depth Details:
Affected Component:
- Databricks JDBC Driver: This driver facilitates database connectivity, enabling applications to interact with Databricks.
Vulnerability Characteristics:
- CVE-2024-49194 and CVSS V3 score 7.3
- Type: JNDI Injection leading to Remote Code Execution (RCE)
- Parameter: The vulnerability is exploited via the
krbJAASFileparameter within a JDBC URL.
Impact:
Advertisements
- Affected Versions: Databricks JDBC Driver versions 2.6.38 and below.
Mitigation Strategies:
- Update the JDBC Driver:
- Upgrade to Databricks JDBC Driver version 2.6.40 or above. This version contains fixes that address the vulnerability.
- JVM Configuration Changes:
- If updating the JDBC Driver is not immediately possible, you can mitigate the risk by modifying your Java Virtual Machine (JVM) configuration.
- Set the following JVM options to
false:java com.sun.jndi.ldap.object.trustURLCodebase=false com.sun.jndi.ldap.object.trustSerialData=false - These settings prevent the JVM from trusting remote codebases, thereby mitigating the risk of JNDI injections.
Advertisements
Steps to Apply the Update:
- Identify Current Driver Version:
- Check the version of the Databricks JDBC Driver currently in use.
- Confirm if it is affected by the vulnerability (versions 2.6.38 and below).
- Download Updated Driver:
- Obtain the latest version (2.6.40 or above) from the official Databricks repository or website.
- Replace Old Driver:
- Replace the old JDBC driver file with the new version in your application’s environment.
- Verify Configuration:
- Ensure that the application properly loads the updated driver.
- Test the application to verify that the update does not introduce any unexpected issues.
- JVM Configuration (if needed):
- Apply the JVM configuration changes as an additional precaution if an immediate update is not feasible.
By addressing this vulnerability promptly, organizations can protect their systems from potential exploitation and ensure the integrity and security of their applications that rely on the Databricks JDBC Driver.
