Security Bulletin: Databricks JDBC Driver Vulnerability Advisory - [CVE-2024-49194]

Restart any long running clusters and update your JDBC driver to the latest version.

Written by Adam Pavlacka

Last published at: December 11th, 2024

Bulletin ID: DB-2024-01
Publication Date: 2024-DEC-11
Last Updated: 2024-DEC-11

Problem

A vulnerability in the Databricks JDBC Driver could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. This issue was reported via the Databricks bug bounty program and was assigned CVE-2024-49194. It is rated with a severity impact of high and is patched in Databricks JDBC Driver version 2.6.40 and above.

CVE ID

Affected Product Versions

Fixed Product Versions

CVSSv3.1

CVE-2024-49194 

2.6.38 and below

2.6.40 and above

7.3

 

Cause

The vulnerability is rooted in the improper handling of the krbJAASFile parameter. An attacker could potentially exploit this vulnerability to gain RCE in the context of the driver by tricking the victim to use a specially crafted connection URL using the property krbJAASFile

Solution

All current versions of Databricks Runtime on Databricks compute and serverless compute have already been patched and/or mitigated. Databricks recommends that you restart any long running clusters to ensure you are using the latest version of your selected runtime.

If you are running an impacted version of the JDBC driver on your local machine, you can mitigate the vulnerability by updating the driver. If you cannot update your JDBC driver, you should update your JVM configuration.

Update JDBC driver

The Databricks JDBC Driver version 2.6.40 and above fully resolves the issue.

Databricks recommends you download and install the updated driver immediately.

Update JVM configuration

If you cannot update your JDBC Driver you can update two values in your JVM configuration to prevent arbitrary deserialization, via JNDI, which mitigates this vulnerability.

Ensure the following configuration values are set to false:

  • com.sun.jndi.ldap.object.trustURLCodebase
  • com.sun.jndi.ldap.object.trustSerialData

 

Contact Information

If you have any questions, email Databricks support at help@databricks.com or the Databricks Security Team at security@databricks.com with the subject line CVE-2024-49194.

For vulnerability reporting, please visit https://hackerone.com/databricks.

Acknowledgments

We would like to thank Ziyang Li, Ji'an Zhou, Ying Zhu of Alibaba Cloud Intelligence Security Team for their collaboration in identifying and addressing this issue.

Changelog

2024-DEC-11: Initial release of the security bulletin.