Announcement: On-Premises Customers
Please be aware of a critical vulnerability (CVE-2022-42915) in some of our On-Premises ODBC drivers.
This vulnerability affects only On-Premises installations of Board ODBC drivers with the HTTP proxy enabled.
It is related to the following currently supported drivers:
- Oracle 8.0 ODBC
- SQLServer 8.0 ODBC
- DB2 8.0 ODBC
- PostgreSQL 8.0 ODBC
- Redshift 8.0 ODBC
- Hive 8.0 ODBC
- Spark 8.0 ODBC
- MySQL 8.0 ODBC
- Informix 8.0 ODBC
- Sybase IQ 8.0 ODBC
- Hybrid Data Pipeline ODBC
If your application connects to a database server over HTTP proxy using any of these drivers, it is vulnerable. The vulnerability is caused by a flaw in the error/cleanup handling of curl, which could trigger a double-free if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap, ldaps, rtmp, rtmps, or telnet.
To address this vulnerability, we will upgrade the ODBC drivers library installers in our next major release (2023 SUMMER release).
Workaround: To avoid any risk related to this vulnerability, we suggest avoiding using HTTP proxy until our next major release (2023 SUMMER release).
We take the security of our products seriously and apologize for any inconvenience this may cause. If you have any questions or concerns, please do not hesitate to contact our team at product.management@board.com.