Security Advisory

Magnitude Simba Redshift and Athena Driver Vulnerability

Description

A vulnerability has been discovered that affects the Amazon Redshift ODBC and JDBC drivers and Amazon Athena ODBC and JDBC drivers. These drivers are developed and maintained by Magnitude Simba. The vulnerability involves improper validation of authentication tokens which may allow for unintended program invocation. To exploit this vulnerability, the attacker must be locally authenticated as a user on the system. We have identified and resolved the root cause of the vulnerability.

Resolution

To remediate the vulnerability, update to the fixed version indicated in the response matrix below. Magnitude Simba customers can download fixed versions from the Magnitude Support Portal.

Updated drivers have been provided to downstream vendors who package and deliver them to their customers. If you obtained the driver from another authorized source, then please download the update there.

Response Matrix

Product

Vulnerable Versions

CVE Identifier

Fixed Version

Workaround

Magnitude Simba Amazon Redshift ODBC Driver

1.4.11 – 1.4.21.1001, 1.4.22 – 1.4.51

CVE-2022-29972

1.4.52

None

Magnitude Simba Amazon Athena ODBC Driver

1.1.1 – 1.1.16

CVE-2022-29971

1.1.17

None

Magnitude Simba Amazon Redshift JDBC Driver

1.2.40 - 1.2.55

CVE-2022-30240

1.2.56

None

Magnitude Simba Amazon Athena JDBC Driver

2.0.25 - 2.0.28

CVE-2022-30239

2.0.29

None