Bug 2263384 (CVE-2024-0985) - CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL
Summary: CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' ...
Keywords:
Status: NEW
Alias: CVE-2024-0985
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2265976 2265977 2265978 2265979 2265980 2265981 2263411 2263412 2263493
Blocks: 2263382
TreeView+ depends on / blocked
 
Reported: 2024-02-08 16:33 UTC by Robb Gatica
Modified: 2024-04-19 00:12 UTC (History)
38 users (show)

Fixed In Version: postgresql 12.18, postgresql 13.14, postgresql 14.11, postgresql 15.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in PostgreSQL. A late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL can allow an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling a safe refresh of untrusted materialized views. The attack requires luring the victim, a superuser or member of one of the attacker's roles, into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0986 0 None None None 2024-02-26 12:07:55 UTC
Red Hat Product Errata RHBA-2024:0994 0 None None None 2024-02-26 21:25:54 UTC
Red Hat Product Errata RHBA-2024:1000 0 None None None 2024-02-27 08:34:48 UTC
Red Hat Product Errata RHBA-2024:1002 0 None None None 2024-02-27 09:33:08 UTC
Red Hat Product Errata RHBA-2024:1003 0 None None None 2024-02-27 09:45:00 UTC
Red Hat Product Errata RHBA-2024:1006 0 None None None 2024-02-27 14:08:39 UTC
Red Hat Product Errata RHBA-2024:1012 0 None None None 2024-02-28 01:28:20 UTC
Red Hat Product Errata RHBA-2024:1022 0 None None None 2024-02-28 14:10:11 UTC
Red Hat Product Errata RHBA-2024:1034 0 None None None 2024-02-28 21:38:47 UTC
Red Hat Product Errata RHBA-2024:1190 0 None None None 2024-03-06 14:25:52 UTC
Red Hat Product Errata RHSA-2024:0950 0 None None None 2024-02-22 15:46:25 UTC
Red Hat Product Errata RHSA-2024:0951 0 None None None 2024-02-22 16:26:13 UTC
Red Hat Product Errata RHSA-2024:0956 0 None None None 2024-02-26 01:36:51 UTC
Red Hat Product Errata RHSA-2024:0973 0 None None None 2024-02-26 02:25:06 UTC
Red Hat Product Errata RHSA-2024:0974 0 None None None 2024-02-26 02:54:03 UTC
Red Hat Product Errata RHSA-2024:0975 0 None None None 2024-02-26 03:28:50 UTC
Red Hat Product Errata RHSA-2024:0988 0 None None None 2024-02-26 14:54:59 UTC
Red Hat Product Errata RHSA-2024:0990 0 None None None 2024-02-26 17:08:07 UTC
Red Hat Product Errata RHSA-2024:0992 0 None None None 2024-02-26 17:08:32 UTC
Red Hat Product Errata RHSA-2024:1017 0 None None None 2024-02-28 11:47:38 UTC
Red Hat Product Errata RHSA-2024:1069 0 None None None 2024-03-04 19:38:10 UTC
Red Hat Product Errata RHSA-2024:1070 0 None None None 2024-03-04 19:38:23 UTC
Red Hat Product Errata RHSA-2024:1071 0 None None None 2024-03-04 19:37:58 UTC
Red Hat Product Errata RHSA-2024:1195 0 None None None 2024-03-06 16:35:33 UTC
Red Hat Product Errata RHSA-2024:1240 0 None None None 2024-03-11 15:19:28 UTC
Red Hat Product Errata RHSA-2024:1241 0 None None None 2024-03-11 15:19:42 UTC
Red Hat Product Errata RHSA-2024:1314 0 None None None 2024-03-13 13:41:54 UTC
Red Hat Product Errata RHSA-2024:1315 0 None None None 2024-03-13 13:46:18 UTC
Red Hat Product Errata RHSA-2024:1348 0 None None None 2024-03-18 01:20:59 UTC
Red Hat Product Errata RHSA-2024:1422 0 None None None 2024-03-19 17:32:29 UTC
Red Hat Product Errata RHSA-2024:1426 0 None None None 2024-03-19 18:03:41 UTC
Red Hat Product Errata RHSA-2024:1428 0 None None None 2024-03-19 18:13:32 UTC
Red Hat Product Errata RHSA-2024:1429 0 None None None 2024-03-19 18:05:18 UTC
Red Hat Product Errata RHSA-2024:1437 0 None None None 2024-03-20 09:36:54 UTC

Description Robb Gatica 2024-02-08 16:33:57 UTC 
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.

Affected Versions: 12, 13, 14, 15
Fixed in: 12.18, 13.14, 14.11, 15.6

References:
https://www.postgresql.org/support/security/CVE-2024-0985/
Comment 8 errata-xmlrpc 2024-02-22 15:46:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0950 https://access.redhat.com/errata/RHSA-2024:0950
Comment 9 errata-xmlrpc 2024-02-22 16:26:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0951 https://access.redhat.com/errata/RHSA-2024:0951
Comment 10 errata-xmlrpc 2024-02-26 01:36:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0956 https://access.redhat.com/errata/RHSA-2024:0956
Comment 11 errata-xmlrpc 2024-02-26 02:25:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0973 https://access.redhat.com/errata/RHSA-2024:0973
Comment 12 errata-xmlrpc 2024-02-26 02:54:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0974 https://access.redhat.com/errata/RHSA-2024:0974
Comment 13 errata-xmlrpc 2024-02-26 03:28:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0975 https://access.redhat.com/errata/RHSA-2024:0975
Comment 14 Sandipan Roy 2024-02-26 06:13:43 UTC 
Created mingw-postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2265977]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2265976]


Created postgresql:12/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2265978]


Created postgresql:13/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2265979]


Created postgresql:14/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2265980]


Created postgresql:15/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2265981]
Comment 15 errata-xmlrpc 2024-02-26 14:54:56 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2024:0988 https://access.redhat.com/errata/RHSA-2024:0988
Comment 16 errata-xmlrpc 2024-02-26 17:08:04 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2024:0990 https://access.redhat.com/errata/RHSA-2024:0990
Comment 17 errata-xmlrpc 2024-02-26 17:08:29 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2024:0992 https://access.redhat.com/errata/RHSA-2024:0992
Comment 18 errata-xmlrpc 2024-02-28 11:47:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1017 https://access.redhat.com/errata/RHSA-2024:1017
Comment 19 errata-xmlrpc 2024-03-04 19:37:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:1071 https://access.redhat.com/errata/RHSA-2024:1071
Comment 20 errata-xmlrpc 2024-03-04 19:38:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1069 https://access.redhat.com/errata/RHSA-2024:1069
Comment 21 errata-xmlrpc 2024-03-04 19:38:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1070 https://access.redhat.com/errata/RHSA-2024:1070
Comment 22 errata-xmlrpc 2024-03-06 16:35:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1195 https://access.redhat.com/errata/RHSA-2024:1195
Comment 23 errata-xmlrpc 2024-03-11 15:19:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1240 https://access.redhat.com/errata/RHSA-2024:1240
Comment 24 errata-xmlrpc 2024-03-11 15:19:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1241 https://access.redhat.com/errata/RHSA-2024:1241
Comment 25 errata-xmlrpc 2024-03-13 13:41:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1314 https://access.redhat.com/errata/RHSA-2024:1314
Comment 26 errata-xmlrpc 2024-03-13 13:46:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1315 https://access.redhat.com/errata/RHSA-2024:1315
Comment 27 errata-xmlrpc 2024-03-18 01:20:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1348 https://access.redhat.com/errata/RHSA-2024:1348
Comment 28 errata-xmlrpc 2024-03-19 17:32:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:1422 https://access.redhat.com/errata/RHSA-2024:1422
Comment 29 errata-xmlrpc 2024-03-19 18:03:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1426 https://access.redhat.com/errata/RHSA-2024:1426
Comment 30 errata-xmlrpc 2024-03-19 18:05:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1429 https://access.redhat.com/errata/RHSA-2024:1429
Comment 31 errata-xmlrpc 2024-03-19 18:13:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1428 https://access.redhat.com/errata/RHSA-2024:1428
Comment 32 errata-xmlrpc 2024-03-20 09:36:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1437 https://access.redhat.com/errata/RHSA-2024:1437
Note You need to log in before you can comment on or make changes to this bug.