Uploaded image for project: 'EXASOL Roadmap'
  1. EXASOL Roadmap
  2. EXASOL-2902

Fixed vulnerability in UDF framework

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: EXASolution 5.0.0, EXASOL 6.0.0, Exasol 6.1.0, Exasol 6.2.0, Exasol 7.0.0, Exasol 7.1.beta1
    • Fix Version/s: Exasol 7.1.0, Exasol 6.2.15, Exasol 7.0.10, Exasol 7.1.rc1
    • Component/s: None
    • Labels:
      None

      Description

      Vulnerability

      Classification: Critical

      A logged-in database user having the system privilege CREATE SCRIPT or CREATE ANY SCRIPT could possibly escape the sandboxed UDF execution and gain access to the host machine running the database.

      Prerequisites

      • User has login access to the database (valid credentials and CREATE SESSION system privilege).
      • User has at least one of the system privileges CREATE SCRIPT and CREATE ANY SCRIPT.

      Workaround

      We recommend to review already granted system privileges CREATE SCRIPT and CREATE ANY SCRIPT and reduce them only to a necessary level.

      Fix

      The vulnerability was fixed and users are advised to update to Exasol 6.2.15, 7.0.10, or 7.1.0.

        Attachments

          Activity

            People

            • Assignee:
              CaptainEXA Captain EXASOL
              Reporter:
              CaptainEXA Captain EXASOL
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: