Addressed CVE-2025-59250 and version updates for 10.2.4 (#2802)

Author: muskan124947

CHANGELOG.md

@@ -3,6 +3,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 
+## [10.2.4] Hotfix & Stable Release
+### Fixed issues
+- **Address a hostname validation vulnerability by securely parsing certificate common names.**
+  **What was fixed**: Secure hostname validation is enforced by replacing the vulnerable CN parsing logic in SQLServerCertificateUtils.java, preventing spoofing attacks.
+  **Who benefits**:  All users of the SQL Server JDBC driver, especially those relying on TLS for secure connections, benefit from improved certificate validation.
+
 ## [10.2.3] HotFix & Stable Release
 ### Fixed issues
 - Fixed incorrect update counts when timeout occurs in batch queries [2024](https://github.com/microsoft/mssql-jdbc/pull/2024)

README.md

@@ -80,7 +80,7 @@ We're now on the Maven Central Repository. Add the following to your POM file to
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>10.2.2.jre17</version>
+	<version>10.2.4.jre17</version>
 </dependency>
 ```
 The driver can be downloaded from the [Microsoft Download Center](https://go.microsoft.com/fwlink/?linkid=2168495).
@@ -91,7 +91,7 @@ To get the latest preview version of the driver, add the following to your POM f
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>10.2.2.jre17</version>
+	<version>10.2.4.jre17</version>
 </dependency>
 ```
 
@@ -126,7 +126,7 @@ Projects that require either of the two features need to explicitly declare the
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>10.2.2.jre17</version>
+	<version>10.2.4.jre17</version>
 	<scope>compile</scope>
 </dependency>
 
@@ -144,7 +144,7 @@ Projects that require either of the two features need to explicitly declare the
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>10.2.2.jre17</version>
+	<version>10.2.4.jre17</version>
 	<scope>compile</scope>
 </dependency>
 
@@ -171,7 +171,7 @@ When setting 'useFmtOnly' property to 'true' for establishing a connection or cr
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>10.2.2.jre17</version>
+	<version>10.2.4.jre17</version>
 </dependency>
 
 <dependency>

build.gradle

@@ -11,7 +11,7 @@
 
 apply plugin: 'java'
 
-version = '10.2.3'
+version = '10.2.4'
 def jreVersion = ""
 def testOutputDir = file("build/classes/java/test")
 def archivesBaseName = 'mssql-jdbc'

mssql-jdbc_auth_LICENSE

@@ -1,5 +1,5 @@
 MICROSOFT SOFTWARE LICENSE TERMS
-MICROSOFT JDBC DRIVER 10.2.3 FOR SQL SERVER
+MICROSOFT JDBC DRIVER 10.2.4 FOR SQL SERVER
 
 These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or additional terms, in which case those different terms apply prospectively and do not alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.  BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.
 

pom.xml

@@ -6,7 +6,7 @@
 
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>10.2.3</version>
+	<version>10.2.4</version>
 	<packaging>jar</packaging>
 
 	<name>Microsoft JDBC Driver for SQL Server</name>

src/main/java/com/microsoft/sqlserver/jdbc/IOBuffer.java

@@ -64,6 +64,9 @@
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
+import javax.naming.InvalidNameException;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
 import javax.net.SocketFactory;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.SSLContext;
@@ -1524,38 +1527,34 @@ private final class HostNameOverrideX509TrustManager implements X509TrustManager
             this.hostName = hostName.toLowerCase(Locale.ENGLISH);
         }
 
-        // Parse name in RFC 2253 format
-        // Returns the common name if successful, null if failed to find the common name.
-        // The parser tuned to be safe than sorry so if it sees something it cant parse correctly it returns null
-        private String parseCommonName(String distinguishedName) {
-            int index;
-            // canonical name converts entire name to lowercase
-            index = distinguishedName.indexOf("cn=");
-            if (index == -1) {
-                return null;
-            }
-            distinguishedName = distinguishedName.substring(index + 3);
-            // Parse until a comma or end is reached
-            // Note the parser will handle gracefully (essentially will return empty string) , inside the quotes (e.g
-            // cn="Foo, bar") however
-            // RFC 952 says that the hostName cant have commas however the parser should not (and will not) crash if it
-            // sees a , within quotes.
-            for (index = 0; index < distinguishedName.length(); index++) {
-                if (distinguishedName.charAt(index) == ',') {
-                    break;
+        /**
+         * Securely parse the Common Name from an X.509 certificate using RFC2253 format.
+         * This method prevents DN injection attacks by using LdapName/Rdn parsing.
+         * 
+         * @param cert X.509 certificate
+         * @return Common Name from the certificate subject, or null if not found
+         */
+        private String parseCommonNameSecure(X509Certificate cert) {
+            try {
+                String subjectDN = cert.getSubjectX500Principal().getName(); // RFC2253 format
+                LdapName ldapName = new LdapName(subjectDN);
+                
+                // Iterate through RDNs to find CN
+                for (Rdn rdn : ldapName.getRdns()) {
+                    if ("CN".equalsIgnoreCase(rdn.getType())) {
+                        return rdn.getValue().toString();
+                    }
                 }
-            }
-            String commonName = distinguishedName.substring(0, index);
-            // strip any quotes
-            if (commonName.length() > 1 && ('\"' == commonName.charAt(0))) {
-                if ('\"' == commonName.charAt(commonName.length() - 1))
-                    commonName = commonName.substring(1, commonName.length() - 1);
-                else {
-                    // Be safe the name is not ended in " return null so the common Name wont match
-                    commonName = null;
+                if (logger.isLoggable(Level.FINER)) {
+                    logger.finer(logContext + " No CN found in certificate subject");
                 }
+                return null;
+            } catch (Exception e) {
+                if (logger.isLoggable(Level.WARNING)) {
+                    logger.warning(logContext + " Error parsing certificate: " + e.getMessage());
+                }
+                return null;
             }
-            return commonName;
         }
 
         private boolean validateServerName(String nameInCert) {
@@ -1645,17 +1644,21 @@ public void checkServerTrusted(X509Certificate[] chain, String authType) throws
         }
 
         private void validateServerNameInCertificate(X509Certificate cert) throws CertificateException {
-            String nameInCertDN = cert.getSubjectX500Principal().getName("canonical");
             if (logger.isLoggable(Level.FINER)) {
                 logger.finer(logContext + " Validating the server name:" + hostName);
-                logger.finer(logContext + " The DN name in certificate:" + nameInCertDN);
             }
 
             boolean isServerNameValidated;
             String dnsNameInSANCert = "";
 
-            // the name in cert is in RFC2253 format parse it to get the actual subject name
-            String subjectCN = parseCommonName(nameInCertDN);
+            // Use secure RFC2253 parsing to prevent DN injection attacks
+            String subjectCN = parseCommonNameSecure(cert);
+            // X.509 certificate standard requires domain names to be in ASCII.
+            // Even IDN (Unicode) names will be represented here in Punycode (ASCII).
+            // Normalize case for comparison using English to avoid case issues like Turkish i.
+            if (subjectCN != null) {
+                subjectCN = subjectCN.toLowerCase(Locale.ENGLISH);
+            }
 
             isServerNameValidated = validateServerName(subjectCN);
 

src/main/java/com/microsoft/sqlserver/jdbc/SQLJdbcVersion.java

@@ -8,7 +8,7 @@
 final class SQLJdbcVersion {
     static final int major = 10;
     static final int minor = 2;
-    static final int patch = 3;
+    static final int patch = 4;
     static final int build = 0;
     /*
      * Used to load mssql-jdbc_auth DLL.

src/samples/adaptive/pom.xml

@@ -15,7 +15,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>10.2.0.jre17</version>
+			<version>10.2.4.jre17</version>
 		</dependency>
 	</dependencies>
 	<profiles>

src/samples/alwaysencrypted/pom.xml

@@ -15,7 +15,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>10.2.0.jre17</version>
+			<version>10.2.4.jre17</version>
 		</dependency>
 	</dependencies>
 	<profiles>

src/samples/azureactivedirectoryauthentication/pom.xml

@@ -14,7 +14,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>10.2.0.jre17</version>
+			<version>10.2.4.jre17</version>
 		</dependency>
 	</dependencies>
 	<profiles>