Source: c3p0 Version: 0.9.1.2-11 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for c3p0. CVE-2026-27830[0]: | c3p0, a JDBC Connection pooling library, is vulnerable to attack via | maliciously crafted Java-serialized objects and | `javax.naming.Reference` instances. Several c3p0 | `ConnectionPoolDataSource` implementations have a property called | `userOverridesAsString` which conceptually represents a | `Map<String,Map<String,String>>`. Prior to v0.12.0, that property | was maintained as a hex-encoded serialized object. Any attacker able | to reset this property, on an existing `ConnectionPoolDataSource` or | via maliciously crafted serialized objects or | `javax.naming.Reference` instances could be tailored execute | unexpected code on the application's `CLASSPATH`. The danger of this | vulnerability was strongly magnified by vulnerabilities in c3p0's | main dependency, mchange-commons-java. This library includes code | that mirrors early implementations of JNDI functionality, including | ungated support for remote `factoryClassLocation` values. Attackers | could set c3p0's `userOverridesAsString` hex-encoded serialized | objects that include objects "indirectly serialized" via JNDI | references. Deserialization of those objects and dereferencing of | the embedded `javax.naming.Reference` objects could provoke download | and execution of malicious code from a remote | `factoryClassLocation`. Although hazard presented by c3p0's | vulnerabilites are exarcerbated by vulnerabilities in mchange- | commons-java, use of Java-serialized-object hex as the format for a | writable Java-Bean property, of objects that may be exposed across | JNDI interfaces, represents a serious independent fragility. The | `userOverridesAsString` property of c3p0 `ConnectionPoolDataSource` | classes has been reimplemented to use a safe CSV-based format, | rather than rely upon potentially dangerous Java object | deserialization. c3p0-0.12.0+ and above depend upon mchange-commons- | java 0.4.0+, which gates support for remote `factoryClassLocation` | values by configuration parameters that default to restrictive | values. c3p0 additionally enforces the new mchange-commons-java | `com.mchange.v2.naming.nameGuardClassName` to prevent injection of | unexpected, potentially remote JNDI names. There is no supported | workaround for versions of c3p0 prior to 0.12.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-27830 https://www.cve.org/CVERecord?id=CVE-2026-27830 [1] https://github.com/swaldman/c3p0/security/advisories/GHSA-5476-xc4j-rqcv [2] https://github.com/swaldman/c3p0/commit/e14cbd8166e423e2e9a9d6f08b2add3433492d6e Please adjust the affected versions in the BTS as needed. Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
