PostgreSQL has issued three security patches for 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22 versions.
“The PostgreSQL Global Development Group is pleased to announce the availability of PostgreSQL 10 Beta 3 and updates to all supported versions of our database system, including 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22.” reads the announcement.
The popular object-relational database management system (ORDBMS) is affected by a flaw, tracked as CVE-2017-7547, that could be remotely exploited to retrieve others’ passwords.
“An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.” states Bugzilla.
The issue derives from the database’s handling of pg_user_mappings, it allows a remote and authenticated attacker to retrieve passwords from user mappings that foreign server owners defined for the user in question.
“The pg_user_mappings view long required privileges on a given foreign server in order to see “options”, notably passwords, associated with user mappings of that server. The fix for CVE-2017-7486 removed that requirement. This allows each user to retrieve passwords from user mappings that foreign server owners defined for the user in question, even if that owner granted no actual privileges. The user in question might retrieve the password and use it to connect via another mechanism.” continues the advisory.
The security updates also fixed other issues such as a flaw tracked as CVE-2017-7546, that causes the server accepting empty passwords.
“It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq’s refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords.” reads the advisory.
“Several authentication methods, including the widely-used ‘md5’ method, permit empty passwords. On the client side,
libpq will not send an empty password. This may have given a false impression that an empty password was equivalent to disabling the account with respect to authentication methods requiring a password. On the contrary, an attacker could easily authenticate as the user.”
The last flaw fixed is the CVE-2017-7548 in the lo_put() function, which had a missing permission check that allowed “any user to change the data in a large object”.
“An authorization flaw was found in the way PostgreSQL handled large objects. A remote authenticated attacker with no privileges on a large object could potentially use this flaw to overwrite the entire content of the object, thus resulting in denial of service.” states the advisory.
The PostgreSQL also reminds users that Version 9.2 will move to the end-of-life list in September.
(Security Affairs – DBMS, PostgreSQL)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.