Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
WARNING: SEVERE VULNERABILITY IN DATABRICKS JDBC DRIVER COULD LEAD TO REMOTE CODE EXECUTION, PATCH IMMEDIATELY!
Image
Veröffentlicht : 18/12/2024
Reference:
Advisory #2024-294
Version:
1.0
Affected software:
Databricks JDBC Driver
Type:
Remote code execution
CVE/CVSS:
CVE-2024-49194: CVSS 7.3 (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Sources
Risks
A vulnerability in the Databricks JDBC Driver could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter.
Databricks JDBC Driver enables connections between apps, tools, clients, SDKs and APIs through JDBC, an industry-standard specification for accessing database management systems.
Threat actors have been observed targeting JDBC drivers to steal information stored in databases and deploy malware.
CVE-2024-49194 has a high impact on all vertices of the CIA triad (Confidentiality, Integrity, Availability).
Currently, there is no mention of any active exploitation of this vulnerability (cutoff date: 18 December 2024).
Description
CVE-2024-49194 is a vulnerability rooted in the improper handling of the krbJAASFile parameter in Databricks JDBC Driver.
Successful exploitation could enable a threat actor to gain remote code execution in the context of the driver by tricking the victim to use a specially crafted connection URL using the property krbJAASFile.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
CVE-2024-49194 is fixed in patch version 2.6.40 and above.
Please note that all current versions of Databricks Runtime on Databricks compute and serverless compute have already been patched and/or mitigated. Databricks recommends restarting any long running clusters to ensure you are using the latest version of your selected runtime.
If you are running an impacted version of the JDBC driver on your local machine, you can mitigate the vulnerability by updating the driver.
If you cannot update your JDBC driver, you should update your JVM configuration to prevent arbitrary deserialization, via JNDI, which mitigates this vulnerability. If so, ensure the following configuration values are set to false:
- com.sun.jndi.ldap.object.trustURLCodebase
- com.sun.jndi.ldap.object.trustSerialData
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://notif.safeonweb.be/.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.