Critical ADOdb Vulnerabilities Fixed in Ubuntu
Multiple vulnerabilities have been addressed in ADOdb, a PHP database abstraction layer library. These vulnerabilities could cause severe security issues, such as SQL injection attacks, cross-site scripting (XSS) attacks, and authentication bypasses.
The Ubuntu security team has released updates to address them in various versions of Ubuntu, including Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 ESM, and Ubuntu 16.04 ESM. Users and organizations are strongly encouraged to apply updates promptly to mitigate potential risks.
Understanding ADOdb and Its Vulnerabilities
ADOdb is widely used in PHP applications to provide a unified interface for database access. However, like any software, it is not immune to security flaws. Several critical vulnerabilities have been identified and patched, highlighting the importance of keeping your ADOdb library up to date.
Here are the vulnerabilities that have been fixed:
CVE-2016-7405 (CVSS v3 Severity Score: 9.8 Critical)
It was discovered that the PDO driver in ADOdb was incorrectly handling string quotes. This flaw could allow a remote attacker to execute SQL injection attacks, potentially compromising the database. This vulnerability only affected Ubuntu 16.04.
CVE-2016-4855 (CVSS v3 Severity Score: 6.1 Medium)
Another vulnerability was found in how ADOdb handled GET parameters in the test.php file. A remote attacker could exploit this vulnerability to perform XSS attacks, which could lead to unauthorized actions being performed on behalf of the user. This issue also only affected Ubuntu 16.04.
CVE-2021-3850 (CVSS v3 Severity Score: 9.1 Critical)
Emmet Leahy discovered a vulnerability where ADOdb incorrectly handled string quotes in PostgreSQL connections. This flaw could allow a remote attacker to bypass authentication, gaining unauthorized access to the database.
How to Stay Secure
To protect your systems from these vulnerabilities, it is essential to update the ADOdb package to the latest version available in your Ubuntu system repository. By keeping your ADOdb library up to date, you can protect your applications from these critical vulnerabilities and ensure the security of your database interactions.
Ubuntu 16.04 and Ubuntu 18.04 already reached their end of life, so they no longer receive any security fixes. However, Canonical provides security updates for them in Expanded Security Maintenance (ESM) via Ubuntu Pro.
Looking for a cost-effective alternative to Ubuntu Pro for extended security? Consider TuxCare’s Extended Lifecycle Support. TuxCare offers critical security patches for up to five additional years after the End-of-Life (EOL) date, ensuring your Ubuntu system stays secure while you plan a safe migration at your own pace.
Furthermore, TuxCare’s Extended Lifecycle Support for PHP gives you extended security updates for outdated PHP versions. This allows you to run your PHP applications running older versions of PHP securely for years without needing massive code rewriting.
Source: USN-6825-1