Addressed CVE-2025-59250 and version updates for 13.2.1 (#2801)

* Addressed CVE-2025-59250: JDBC Driver for SQL Server Spoofing Vulnerability: Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.

Author: divang

CHANGELOG.md

@@ -2,6 +2,60 @@
 All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
+## [13.2.1] Hotfix & Stable Release
+
+### Added
+
+- **Enable Vector data type tests on Azure SQL Database** [#2762](https://github.com/microsoft/mssql-jdbc/pull/2762)
+  **What was added**: Vector data type tests are now enabled to run against Azure SQL Database.
+  **Who benefits**: Developers testing VECTOR functionality in Azure SQL DB environments.
+  **Impact**: Ensures VECTOR data type support test coverage.
+
+- **Enable JSON data type tests on Azure SQL Database** [#2756](https://github.com/microsoft/mssql-jdbc/pull/2756)
+  **What was added**: JSON data type tests are now enabled to run against Azure SQL Database.
+  **Who benefits**: Developers testing JSON functionality in Azure SQL DB environments.
+  **Impact**: Ensures JSON data type support test coverage.
+ 
+### Changed
+
+- **Revert function/procedure filtering via sys.all_objects** [#2751](https://github.com/microsoft/mssql-jdbc/pull/2751)
+  **What changed**: Reverted #2705 change that used sys.all_objects for filtering. Restores previous behavior to maintain consistency across metadata APIs.
+  **Who benefits**: Developers using getProcedures() and getFunctions() in JDBC.
+  **Impact**: Preserves compatibility with numbered procedures and avoids discrepancies between APIs.
+
+### Fixed issues
+
+- **JDK 8 compatibility for vector datatype handling** [#2750](https://github.com/microsoft/mssql-jdbc/pull/2750)
+  **What was fixed**: Ensured fallback to JVM system property javax.net.ssl.trustStoreType if connection property is unset.
+  **Who benefits**: Users configuring SSL via system properties.
+  **Impact**: Enables proper SSL trust store resolution, improving compatibility with system configurations.
+
+- **PreparedStatement getGeneratedKeys() failure with triggers** [#2742](https://github.com/microsoft/mssql-jdbc/pull/2742)
+  **What was fixed**: Fixed error "The statement must be executed before any results can be obtained" when using insert triggers with generated keys.
+  **Who benefits**: Developers retrieving generated keys from inserts with triggers.
+  **Impact**: Restores correct behavior for both update count accuracy and generated keys retrieval in trigger scenarios.
+
+- **Byte Buddy dependency scope** [#2755](https://github.com/microsoft/mssql-jdbc/pull/2755)
+  **What was fixed**: Corrected Byte Buddy (1.15.11) dependency scope to test instead of compile.
+  **Who benefits**: Developers and users of runtime artifacts.
+  **Impact**: Reduces runtime artifact size (~8 MB) and ensures Byte Buddy is only included for unit tests.
+
+- **DatabaseMetaData.getIndexInfo() NON_UNIQUE value inconsistency** [#2773](https://github.com/microsoft/mssql-jdbc/pull/2773)
+  **What was fixed**: Fixed incorrect NON_UNIQUE values due to mismatched handling of sp_statistics and sys.indexes.
+  **Who benefits**: Applications depending on accurate index metadata.
+  **Impact**: Provides consistent value of NON_UNIQUE field across SQL Server and Azure Synapse Analytics.
+
+- **DatabaseMetaData.getIndexInfo() invalid cursor position exception** [2763](https://github.com/microsoft/mssql-jdbc/pull/2763)
+  **What was fixed**: Fixed SQLException: Invalid cursor position caused when calling ResultSet.next() after exhaustion due to CachedRowSet strict cursor validation.
+  **Who benefits**: Developers consuming metadata via DatabaseMetaData.getIndexInfo() on SQL Server or Azure Synapse DW.
+  **Impact**: Replaces CachedRowSet merging with a UNION ALL query, ensuring standard JDBC cursor behavior while maintaining columnstore index support.
+
+- **Address a hostname validation vulnerability by securely parsing certificate common names.**
+  **What was fixed**: Secure hostname validation is enforced by replacing the vulnerable CN parsing logic in SQLServerCertificateUtils.java, preventing spoofing attacks.
+  **Who benefits**:  All users of the SQL Server JDBC driver, especially those relying on TLS for secure connections, benefit from improved certificate validation.
+  **Impact**: This fix closes a security gap, protecting applications from man-in-the-middle attacks and ensuring compliance with security best practices.
+
+
 ## [13.2.0] Stable Release
 
 ### Changed

README.md

@@ -83,7 +83,7 @@ We're now on the Maven Central Repository. Add the following to your POM file to
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>13.2.0.jre11</version>
+	<version>13.2.1.jre11</version>
 </dependency>
 ```
 The driver can be downloaded from [Microsoft](https://aka.ms/downloadmssqljdbc). For driver version 12.1.0 and greater, please use the jre11 version when using Java 11 or greater, and the jre8 version when using Java 8.
@@ -94,7 +94,7 @@ To get the latest version of the driver, add the following to your POM file:
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>13.2.0.jre11</version>
+	<version>13.2.1.jre11</version>
 </dependency>
 ```
 
@@ -129,7 +129,7 @@ Projects that require either of the two features need to explicitly declare the
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>13.2.0.jre11</version>
+	<version>13.2.1.jre11</version>
 	<scope>compile</scope>
 </dependency>
 
@@ -147,7 +147,7 @@ Projects that require either of the two features need to explicitly declare the
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>13.2.0.jre11</version>
+	<version>13.2.1.jre11</version>
 	<scope>compile</scope>
 </dependency>
 
@@ -174,7 +174,7 @@ When setting 'useFmtOnly' property to 'true' for establishing a connection or cr
 <dependency>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>13.2.0.jre11</version>
+	<version>13.2.1.jre11</version>
 </dependency>
 
 <dependency>

build.gradle

@@ -11,7 +11,7 @@
 
 apply plugin: 'java'
 
-version = '13.2.0'
+version = '13.2.1'
 def releaseExt = ''
 def jreVersion = ""
 def testOutputDir = file("build/classes/java/test")

mssql-jdbc_auth_LICENSE

@@ -1,5 +1,5 @@
 MICROSOFT SOFTWARE LICENSE TERMS
-MICROSOFT JDBC DRIVER 13.2.0 FOR SQL SERVER
+MICROSOFT JDBC DRIVER 13.2.1 FOR SQL SERVER
 
 These license terms are an agreement between you and Microsoft Corporation (or one of its affiliates). They apply to the software named above and any Microsoft services or software updates (except to the extent such services or updates are accompanied by new or additional terms, in which case those different terms apply prospectively and do not alter your or Microsoft’s rights relating to pre-updated software or services). IF YOU COMPLY WITH THESE LICENSE TERMS, YOU HAVE THE RIGHTS BELOW.  BY USING THE SOFTWARE, YOU ACCEPT THESE TERMS.
 

pom.xml

@@ -5,7 +5,7 @@
 	<modelVersion>4.0.0</modelVersion>
 	<groupId>com.microsoft.sqlserver</groupId>
 	<artifactId>mssql-jdbc</artifactId>
-	<version>13.2.0</version>
+	<version>13.2.1</version>
 	<packaging>jar</packaging>
 	<name>Microsoft JDBC Driver for SQL Server</name>
 	<description>

src/main/java/com/microsoft/sqlserver/jdbc/SQLJdbcVersion.java

@@ -8,7 +8,7 @@
 final class SQLJdbcVersion {
     static final int MAJOR = 13;
     static final int MINOR = 2;
-    static final int PATCH = 0;
+    static final int PATCH = 1;
     static final int BUILD = 0;
     /*
      * Used to load mssql-jdbc_auth DLL.

src/main/java/com/microsoft/sqlserver/jdbc/SQLServerCertificateUtils.java

@@ -50,6 +50,9 @@
 import javax.crypto.spec.SecretKeySpec;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import javax.security.auth.x500.X500Principal;
 
 import org.bouncycastle.openssl.PEMDecryptorProvider;
 import org.bouncycastle.openssl.PEMEncryptedKeyPair;
@@ -77,45 +80,6 @@ static KeyManager[] getKeyManagerFromFile(String certPath, String keyPath,
         }
     }
 
-    /**
-     * Parse name in RFC 2253 format Returns the common name if successful, null if failed to find the common name. The
-     * parser tuned to be safe than sorry so if it sees something it can't parse correctly it returns null
-     * 
-     * @param distinguishedName
-     *        server name to parse
-     * @return subject name
-     */
-    static String parseCommonName(String distinguishedName) {
-        int index;
-        // canonical name converts entire name to lowercase
-        index = distinguishedName.indexOf("cn=");
-        if (index == -1) {
-            return null;
-        }
-        distinguishedName = distinguishedName.substring(index + 3);
-        // Parse until a comma or end is reached
-        // Note the parser will handle gracefully (essentially will return empty string) , inside the quotes (e.g
-        // cn="Foo, bar") however
-        // RFC 952 says that the hostName cant have commas however the parser should not (and will not) crash if it
-        // sees a , within quotes.
-        for (index = 0; index < distinguishedName.length(); index++) {
-            if (distinguishedName.charAt(index) == ',') {
-                break;
-            }
-        }
-        String commonName = distinguishedName.substring(0, index);
-        // strip any quotes
-        if (commonName.length() > 1 && ('\"' == commonName.charAt(0))) {
-            if ('\"' == commonName.charAt(commonName.length() - 1))
-                commonName = commonName.substring(1, commonName.length() - 1);
-            else {
-                // Be safe the name is not ended in " return null so the common Name wont match
-                commonName = null;
-            }
-        }
-        return commonName;
-    }
-
     /**
      * Validate server name in certificate matches hostname
      * 
@@ -183,7 +147,11 @@ static boolean validateServerName(String nameInCert, String hostName) {
      * @throws CertificateException
      */
     static void validateServerNameInCertificate(X509Certificate cert, String hostName) throws CertificateException {
-        String nameInCertDN = cert.getSubjectX500Principal().getName("canonical");
+        // Use RFC2253 format and secure CN parsing to avoid ambiguities introduced by
+        // the "canonical" format (which lowercases and reverses RDN order). We rely
+        // on LdapName/Rdn to securely parse the DN and extract the CN attribute only.
+        X500Principal subjectPrincipal = cert.getSubjectX500Principal();
+        String nameInCertDN = subjectPrincipal.getName(X500Principal.RFC2253);
 
         if (logger.isLoggable(Level.FINER)) {
             logger.finer(logContext + " Validating the server name:" + hostName);
@@ -194,7 +162,13 @@ static void validateServerNameInCertificate(X509Certificate cert, String hostNam
         String dnsNameInSANCert = "";
 
         // the name in cert is in RFC2253 format parse it to get the actual subject name
-        String subjectCN = parseCommonName(nameInCertDN);
+        String subjectCN = parseCommonNameSecure(cert);
+        // X.509 certificate standard requires domain names to be in ASCII.
+        // Even IDN (Unicode) names will be represented here in Punycode (ASCII).
+        // Normalize case for comparison using English to avoid case issues like Turkish i.
+        if (subjectCN != null) {
+            subjectCN = subjectCN.toLowerCase(Locale.ENGLISH);
+        }
 
         isServerNameValidated = validateServerName(subjectCN, hostName);
 
@@ -530,4 +504,35 @@ private static InputStream fileToStream(String fname) throws IOException, SQLSer
     private static String getStringFromFile(String filePath) throws IOException {
         return new String(Files.readAllBytes(Paths.get(filePath)));
     }
+
+    /**
+     * Securely parse the Common Name (CN) from the certificate subject using
+     * LdapName/Rdn APIs and RFC2253 string representation to avoid mis-parsing
+     * values that appear inside other attributes when canonical form is used.
+     */
+    static String parseCommonNameSecure(X509Certificate cert) {
+        try {
+            X500Principal subjectPrincipal = cert.getSubjectX500Principal();
+            String dn = subjectPrincipal.getName(X500Principal.RFC2253);
+
+            LdapName ldapDN = new LdapName(dn);
+            for (Rdn rdn : ldapDN.getRdns()) {
+                if ("CN".equalsIgnoreCase(rdn.getType())) {
+                    String cnValue = rdn.getValue().toString();
+                    return cnValue;
+                }
+            }
+
+            if (logger.isLoggable(Level.FINER)) {
+                logger.finer(logContext + " No CN found in certificate subject");
+            }
+            return null;
+
+        } catch (Exception e) {
+            if (logger.isLoggable(Level.WARNING)) {
+                logger.warning(logContext + " Error parsing certificate: " + e.getMessage());
+            }
+            return null;
+        }
+    }
 }

src/samples/adaptive/pom.xml

@@ -15,7 +15,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>13.2.0.jre11</version>
+			<version>13.2.1.jre11</version>
 		</dependency>
 	</dependencies>
 	<profiles>

src/samples/alwaysencrypted/pom.xml

@@ -15,7 +15,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>13.2.0.jre11</version>
+			<version>13.2.1.jre11</version>
 		</dependency>
 	</dependencies>
 	<profiles>

src/samples/azureactivedirectoryauthentication/pom.xml

@@ -14,7 +14,7 @@
 		<dependency>
 			<groupId>com.microsoft.sqlserver</groupId>
 			<artifactId>mssql-jdbc</artifactId>
-			<version>13.2.0.jre11</version>
+			<version>13.2.1.jre11</version>
 		</dependency>
 	</dependencies>
 	<profiles>