Amazon has confirmed that three high-severity security vulnerabilities that could allow for privilege escalation and all the implications that this can bring for potential data compromise have been identified and fixed. Here’s what you need to know about the SQL injection issues across a number of Amazon Redshift drivers: CVE-2024-12744, CVE-2024-12745 and CVE-2024-12746
What Is Amazon Redshift?
Amazon Redshift is part of the Amazon Web Services cloud-computing platform, a data warehousing solution to process large-scale datasets and database migrations and allow as much as 16 petabytes of data on a single cluster. Amazon said that Amazon Redshift can enable near real-time analytics without building complex data pipelines, bringing the ability to “analyze petabytes of data without the burden of infrastructure management.” It is the powerful SQL analytic capabilities of Amazon Redshift when used with SageMaker Lakehouse that attracts tens of thousands of customers. And hackers.
Amazon Redshift SQL Injection Vulnerabilites CVE-2024-12744, CVE-2024-12745, And CVE-2024-12746 Explained
In a Dec. 24 security bulletin, Amazon Web Services said that it had identified high-severity issues within the Amazon Redshift Java Database Connectivity Driver, Amazon Redshift Python Connector, and Amazon Redshift Open Database Connectivity Driver. The vulnerabilities, all of which get an official rating of 8, impact Amazon Redshift JDBC Driver, version 2.1.0.31; Amazon Redshift Python Connector, version 2.1.4; Amazon Redshift ODBC Driver, version v2.1.5.0.
CVE-2024-12744 is a SQL injection issue in the RedShift JDBC Driver which could allow an attacker to gain escalated privileges. “We recommend customers upgrade to the driver version 2.1.0.32,” Amazon said, “or revert to driver version 2.1.0.30.”
CVE-2024-12745 is another SQL injection issue, this time in the Redshift Python Connector, whereby an SQL command using externally influenced input from an upstream component doesn’t neutralize, or does so incorrectly, elements that could modify the intended command. “This issue has been addressed in driver version 2.1.5,” Amazon said, “we recommend customers upgrade to the driver version 2.1.5 or revert to driver version 2.1.3.”
CVE-2024-12746 impacts the Redshift ODBC Driver v2.1.5.0 and allows privilege escalation by way of an SQL injection issues when utilizing the SQLTables or SQLColumns Metadata APIs. “This issue has been addressed in driver version 2.1.6.0,” Amazon said, “we recommend customers upgrade to the driver version 2.1.6.0 or revert to driver version 2.1.4.0.”
Amazon said that the fixes were all made available on Dec. 23 and recommended all customers upgrade to the latest version to address the security vulnerabilities as soon as possible. I have reached out to Amazon for a statement.
