[EXASOL-2902] Fixed vulnerability in UDF framework Created: 04.06.2021  Updated: 04.06.2021  Resolved: 04.06.2021

Status: Resolved
Project: EXASOL Roadmap
Component/s: None
Affects Version/s: EXASolution 5.0.0, EXASOL 6.0.0, Exasol 6.1.0, Exasol 6.2.0, Exasol 7.0.0, Exasol 7.1.beta1
Fix Version/s: Exasol 7.1.0, Exasol 6.2.15, Exasol 7.0.10, Exasol 7.1.rc1

Type: Bug Priority: Blocker
Reporter: Captain EXASOL Assignee: Captain EXASOL
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Blocking

 Description   

Vulnerability

Classification: Critical

A logged-in database user having the system privilege CREATE SCRIPT or CREATE ANY SCRIPT could possibly escape the sandboxed UDF execution and gain access to the host machine running the database.

Prerequisites

  • User has login access to the database (valid credentials and CREATE SESSION system privilege).
  • User has at least one of the system privileges CREATE SCRIPT and CREATE ANY SCRIPT.

Workaround

We recommend to review already granted system privileges CREATE SCRIPT and CREATE ANY SCRIPT and reduce them only to a necessary level.

Fix

The vulnerability was fixed and users are advised to update to Exasol 6.2.15, 7.0.10, or 7.1.0.


Generated at Sun Oct 17 09:09:35 CEST 2021 using Jira 7.13.18#713018-sha1:e1230154f8ff8cc9272975bf568fc732e806fd68.