Address CVE-2025-59250: Fix spoofing vulnerability in JDBC Driver for SQL Server due to improper input validation and update version to 12.8.2 (#2804)

Ananya2 · web-flow · commit 592fde0bd7b9 · 2025-10-15T12:09:13.000+05:30
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 
+## [12.8.2] Hotfix & Stable Release
+### Fixed issues
+- **Address a hostname validation vulnerability by securely parsing certificate common names.**
+  **What was fixed**: Secure hostname validation is enforced by replacing the vulnerable CN parsing logic in SQLServerCertificateUtils.java, preventing spoofing attacks.
+  **Who benefits**:  All users of the SQL Server JDBC driver, especially those relying on TLS for secure connections, benefit from improved certificate validation.
+
 ## [12.8.1] Hotfix & Stable Release
 ### Changed
 - Changed MSAL logging from FINER to FINEST [#2491](https://github.com/microsoft/mssql-jdbc/pull/2491)
diff --git a/README.md b/README.md
@@ -83,7 +83,7 @@ We're now on the Maven Central Repository. Add the following to your POM file to
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>12.8.1.jre11</version>
+	<version>12.8.2.jre11</version>
 </dependency>
 ```
 The driver can be downloaded from [Microsoft](https://aka.ms/downloadmssqljdbc). For driver version 12.1.0 and greater, please use the jre11 version when using Java 11 or greater, and the jre8 version when using Java 8.
@@ -94,7 +94,7 @@ To get the latest version of the driver, add the following to your POM file:
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>12.8.1.jre11</version>
+	<version>12.8.2.jre11</version>
 </dependency>
 ```
 
@@ -129,7 +129,7 @@ Projects that require either of the two features need to explicitly declare the
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>12.8.1.jre11</version>
+	<version>12.8.2.jre11</version>
 	<scope>compile</scope>
 </dependency>
 
@@ -147,7 +147,7 @@ Projects that require either of the two features need to explicitly declare the
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>12.8.1.jre11</version>
+	<version>12.8.2.jre11</version>
 	<scope>compile</scope>
 </dependency>
 
@@ -174,7 +174,7 @@ When setting 'useFmtOnly' property to 'true' for establishing a connection or cr
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>12.8.1.jre11</version>
+	<version>12.8.2.jre11</version>
 </dependency>
 
 <dependency>
diff --git a/build.gradle b/build.gradle
@@ -11,7 +11,7 @@
 
 apply plugin: 'java'
 
-version = '12.8.1'
+version = '12.8.2'
 def releaseExt = ''
 def jreVersion = ""
 def testOutputDir = file("build/classes/java/test")
diff --git a/mssql-jdbc_auth_LICENSE b/mssql-jdbc_auth_LICENSE
@@ -1,5 +1,5 @@
 MICROSOFT SOFTWARE LICENSE TERMS
-MICROSOFT JDBC DRIVER 12.8.1 FOR SQL SERVER
+MICROSOFT JDBC DRIVER 12.8.2 FOR SQL SERVER
 
 These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or additional terms, in which case those different terms apply prospectively and do not alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.  BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.
 
diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>12.8.1</version>
+	<version>12.8.2</version>
 	<packaging>jar</packaging>
 	<name>Microsoft JDBC Driver for SQL Server</name>
 	<description>
diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/SQLJdbcVersion.java b/src/main/java/com/microsoft/sqlserver/jdbc/SQLJdbcVersion.java
@@ -8,7 +8,7 @@
 final class SQLJdbcVersion {
     static final int MAJOR = 12;
     static final int MINOR = 8;
-    static final int PATCH = 1;
+    static final int PATCH = 2;
     static final int BUILD = 0;
     /*
      * Used to load mssql-jdbc_auth DLL.
diff --git a/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerCertificateUtils.java b/src/main/java/com/microsoft/sqlserver/jdbc/SQLServerCertificateUtils.java
@@ -50,6 +50,9 @@
 import javax.crypto.spec.SecretKeySpec;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import javax.security.auth.x500.X500Principal;
 
 import org.bouncycastle.openssl.PEMDecryptorProvider;
 import org.bouncycastle.openssl.PEMEncryptedKeyPair;
@@ -77,45 +80,6 @@ static KeyManager[] getKeyManagerFromFile(String certPath, String keyPath,
         }
     }
 
-    /**
-     * Parse name in RFC 2253 format Returns the common name if successful, null if failed to find the common name. The
-     * parser tuned to be safe than sorry so if it sees something it can't parse correctly it returns null
-     * 
-     * @param distinguishedName
-     *        server name to parse
-     * @return subject name
-     */
-    static String parseCommonName(String distinguishedName) {
-        int index;
-        // canonical name converts entire name to lowercase
-        index = distinguishedName.indexOf("cn=");
-        if (index == -1) {
-            return null;
-        }
-        distinguishedName = distinguishedName.substring(index + 3);
-        // Parse until a comma or end is reached
-        // Note the parser will handle gracefully (essentially will return empty string) , inside the quotes (e.g
-        // cn="Foo, bar") however
-        // RFC 952 says that the hostName cant have commas however the parser should not (and will not) crash if it
-        // sees a , within quotes.
-        for (index = 0; index < distinguishedName.length(); index++) {
-            if (distinguishedName.charAt(index) == ',') {
-                break;
-            }
-        }
-        String commonName = distinguishedName.substring(0, index);
-        // strip any quotes
-        if (commonName.length() > 1 && ('\"' == commonName.charAt(0))) {
-            if ('\"' == commonName.charAt(commonName.length() - 1))
-                commonName = commonName.substring(1, commonName.length() - 1);
-            else {
-                // Be safe the name is not ended in " return null so the common Name wont match
-                commonName = null;
-            }
-        }
-        return commonName;
-    }
-
     /**
      * Validate server name in certificate matches hostname
      * 
@@ -183,7 +147,11 @@ static boolean validateServerName(String nameInCert, String hostName) {
      * @throws CertificateException
      */
     static void validateServerNameInCertificate(X509Certificate cert, String hostName) throws CertificateException {
-        String nameInCertDN = cert.getSubjectX500Principal().getName("canonical");
+        // Use RFC2253 format and secure CN parsing to avoid ambiguities introduced by
+        // the "canonical" format (which lowercases and reverses RDN order). We rely
+        // on LdapName/Rdn to securely parse the DN and extract the CN attribute only.
+        X500Principal subjectPrincipal = cert.getSubjectX500Principal();
+        String nameInCertDN = subjectPrincipal.getName(X500Principal.RFC2253);
 
         if (logger.isLoggable(Level.FINER)) {
             logger.finer(logContext + " Validating the server name:" + hostName);
@@ -194,7 +162,13 @@ static void validateServerNameInCertificate(X509Certificate cert, String hostNam
         String dnsNameInSANCert = "";
 
         // the name in cert is in RFC2253 format parse it to get the actual subject name
-        String subjectCN = parseCommonName(nameInCertDN);
+        String subjectCN = parseCommonNameSecure(cert);
+        // X.509 certificate standard requires domain names to be in ASCII.
+        // Even IDN (Unicode) names will be represented here in Punycode (ASCII).
+        // Normalize case for comparison using English to avoid case issues like Turkish i.
+        if (subjectCN != null) {
+            subjectCN = subjectCN.toLowerCase(Locale.ENGLISH);
+        }
 
         isServerNameValidated = validateServerName(subjectCN, hostName);
 
@@ -530,4 +504,35 @@ private static InputStream fileToStream(String fname) throws IOException, SQLSer
     private static String getStringFromFile(String filePath) throws IOException {
         return new String(Files.readAllBytes(Paths.get(filePath)));
     }
+
+    /**
+     * Securely parse the Common Name (CN) from the certificate subject using
+     * LdapName/Rdn APIs and RFC2253 string representation to avoid mis-parsing
+     * values that appear inside other attributes when canonical form is used.
+     */
+    static String parseCommonNameSecure(X509Certificate cert) {
+        try {
+            X500Principal subjectPrincipal = cert.getSubjectX500Principal();
+            String dn = subjectPrincipal.getName(X500Principal.RFC2253);
+
+            LdapName ldapDN = new LdapName(dn);
+            for (Rdn rdn : ldapDN.getRdns()) {
+                if ("CN".equalsIgnoreCase(rdn.getType())) {
+                    String cnValue = rdn.getValue().toString();
+                    return cnValue;
+                }
+            }
+
+            if (logger.isLoggable(Level.FINER)) {
+                logger.finer(logContext + " No CN found in certificate subject");
+            }
+            return null;
+
+        } catch (Exception e) {
+            if (logger.isLoggable(Level.WARNING)) {
+                logger.warning(logContext + " Error parsing certificate: " + e.getMessage());
+            }
+            return null;
+        }
+    }
 }
diff --git a/src/samples/adaptive/pom.xml b/src/samples/adaptive/pom.xml
@@ -15,7 +15,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>12.8.0.jre11</version>
+			<version>12.8.2.jre11</version>
 		</dependency>
 	</dependencies>
 	<profiles>
diff --git a/src/samples/alwaysencrypted/pom.xml b/src/samples/alwaysencrypted/pom.xml
@@ -15,7 +15,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>12.8.0.jre11</version>
+			<version>12.8.2.jre11</version>
 		</dependency>
 	</dependencies>
 	<profiles>
diff --git a/src/samples/azureactivedirectoryauthentication/pom.xml b/src/samples/azureactivedirectoryauthentication/pom.xml
@@ -14,7 +14,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>12.8.0.jre11</version>
+			<version>12.8.2.jre11</version>
 		</dependency>
 	</dependencies>
 	<profiles>
diff --git a/src/samples/connections/pom.xml b/src/samples/connections/pom.xml
@@ -14,7 +14,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>12.8.0.jre11</version>
+			<version>12.8.2.jre11</version>
 		</dependency>
 	</dependencies>
 	<profiles>
diff --git a/src/samples/constrained/pom.xml b/src/samples/constrained/pom.xml
@@ -16,7 +16,7 @@
         <dependency>
             <groupId>com.microsoft.sqlserver</groupId>
             <artifactId>mssql-jdbc</artifactId>
-            <version>12.8.0.jre11</version>
+            <version>12.8.2.jre11</version>
         </dependency>
     </dependencies>
     <profiles>
diff --git a/src/samples/dataclassification/pom.xml b/src/samples/dataclassification/pom.xml
@@ -16,7 +16,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>12.8.0.jre11</version>
+			<version>12.8.2.jre11</version>
 		</dependency>
 	</dependencies>
 	<profiles>
diff --git a/src/samples/datatypes/pom.xml b/src/samples/datatypes/pom.xml
@@ -15,7 +15,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>12.8.0.jre11</version>
+			<version>12.8.2.jre11</version>
 		</dependency>
 	</dependencies>
 	<profiles>
diff --git a/src/samples/resultsets/pom.xml b/src/samples/resultsets/pom.xml
@@ -14,7 +14,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>12.8.0.jre11</version>
+			<version>12.8.2.jre11</version>
 		</dependency>
 	</dependencies>
 	<profiles>
diff --git a/src/samples/sparse/pom.xml b/src/samples/sparse/pom.xml
@@ -14,7 +14,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>12.8.0.jre11</version>
+			<version>12.8.2.jre11</version>
 		</dependency>
 	</dependencies>
 	<profiles>
diff --git a/src/test/java/com/microsoft/sqlserver/jdbc/SSLCertificateValidationTest.java b/src/test/java/com/microsoft/sqlserver/jdbc/SSLCertificateValidationTest.java
