PostgreSQL has issued three security patches for 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22 versions.
“The PostgreSQL Global Development Group is pleased to announce the availability of PostgreSQL 10 Beta 3 and updates to all supported versions of our database system, including 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22.” reads the announcement.
The popular object-relational database management system (ORDBMS) is affected by a flaw, tracked as CVE-2017-7547, that could be remotely exploited to retrieve others’ passwords.
“An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.” states Bugzilla.
The issue derives from the database’s handling of pg_user_mappings, it allows a remote and authenticated attacker to retrieve passwords from user mappings that foreign server owners defined for the user in question.
“The pg_user_mappings view long required privileges on a given foreign server in order to see “options”, notably passwords, associated with user mappings of that server. The fix for CVE-2017-7486 removed that requirement. This allows each user to retrieve passwords from user mappings that foreign server owners defined for the user in question, even if that owner granted no actual privileges. The user in question might retrieve the password and use it to connect via another mechanism.” continues the advisory.
The security updates also fixed other issues such as a flaw tracked as CVE-2017-7546, that causes the server accepting empty passwords.
“It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq’s refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords.” reads the advisory.
“Several authentication methods, including the widely-used ‘md5’ method, permit empty passwords. On the client side,
libpq will not send an empty password. This may have given a false impression that an empty password was equivalent to disabling the account with respect to authentication methods requiring a password. On the contrary, an attacker could easily authenticate as the user.”
The last flaw fixed is the CVE-2017-7548 in the lo_put() function, which had a missing permission check that allowed “any user to change the data in a large object”.
“An authorization flaw was found in the way PostgreSQL handled large objects. A remote authenticated attacker with no privileges on a large object could potentially use this flaw to overwrite the entire content of the object, thus resulting in denial of service.” states the advisory.
The PostgreSQL also reminds users that Version 9.2 will move to the end-of-life list in September.
(Security Affairs – DBMS, PostgreSQL)