Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability. Affected Versions: 12, 13, 14, 15 Fixed in: 12.18, 13.14, 14.11, 15.6 References: https://www.postgresql.org/support/security/CVE-2024-0985/
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:0950 https://access.redhat.com/errata/RHSA-2024:0950
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:0951 https://access.redhat.com/errata/RHSA-2024:0951
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0956 https://access.redhat.com/errata/RHSA-2024:0956
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0973 https://access.redhat.com/errata/RHSA-2024:0973
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0974 https://access.redhat.com/errata/RHSA-2024:0974
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0975 https://access.redhat.com/errata/RHSA-2024:0975
Created mingw-postgresql tracking bugs for this issue: Affects: fedora-all [bug 2265977] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 2265976] Created postgresql:12/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2265978] Created postgresql:13/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2265979] Created postgresql:14/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2265980] Created postgresql:15/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2265981]
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2024:0988 https://access.redhat.com/errata/RHSA-2024:0988
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2024:0990 https://access.redhat.com/errata/RHSA-2024:0990
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2024:0992 https://access.redhat.com/errata/RHSA-2024:0992
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:1017 https://access.redhat.com/errata/RHSA-2024:1017
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2024:1071 https://access.redhat.com/errata/RHSA-2024:1071
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:1069 https://access.redhat.com/errata/RHSA-2024:1069
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:1070 https://access.redhat.com/errata/RHSA-2024:1070
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:1195 https://access.redhat.com/errata/RHSA-2024:1195
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1240 https://access.redhat.com/errata/RHSA-2024:1240
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1241 https://access.redhat.com/errata/RHSA-2024:1241
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:1314 https://access.redhat.com/errata/RHSA-2024:1314
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:1315 https://access.redhat.com/errata/RHSA-2024:1315
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:1348 https://access.redhat.com/errata/RHSA-2024:1348
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2024:1422 https://access.redhat.com/errata/RHSA-2024:1422
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:1426 https://access.redhat.com/errata/RHSA-2024:1426
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:1429 https://access.redhat.com/errata/RHSA-2024:1429
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:1428 https://access.redhat.com/errata/RHSA-2024:1428
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:1437 https://access.redhat.com/errata/RHSA-2024:1437