Database access

Access to the OX App Suite database is distributed as an OSGi service through the application. To obtain a JDBC connection to a database, the session’s user and context-id need to be passed to that service in order to get a working connection. This JDBC connection is assigned from a pool of database connections. Using that JDBC connection, access to user’s data takes place through SQL queries and updates.

Since Open-Xchange Server Version 7.10.1 the connection can be secured by using TLS/SSL. For a complete guide please visit https://documentation.open-xchange.com/7.10.1/middleware/components/database/connection_encryption.html.

Prepared statements are consistently used to perform database access, which severely reduces the risk of SQL injection attacks.

Potential Security Risk

Most risks are in-application risk. A programmer might pass wrong user/tenant identifier to the OX App Suite database service and obtain a JDBC connection for a wrong user/tenant. Moreover by not obeying primary key specification, that programmer might read/write foreign data.

Not using TLS potentially exposes the data send over the connection to everyone that has access to the data stream. TLS should only be disabled if the operator can guarantee that networks are properly protected.