Bug 1645937 (CVE-2018-16850)

Summary: CVE-2018-16850 postgresql: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER ... REFERENCING
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abergmann, abhgupta, anon.amish, bkearney, bmcclain, dajohnso, databases-maint, dbaker, dblechte, dclarizi, devrim, dfediuck, dmetzger, eedri, gblomqui, ggainey, gmainwar, gmccullo, gtanzill, hhorak, jfrey, jhardy, jlaska, jmlich83, jokerman, jorton, jprause, jstanek, kdixon, meissner, mgoldboi, michal.skrivanek, mike, mperina, obarenbo, pkajaba, pkubat, praiskup, ratamir, roliveri, rschiron, sbonazzo, security-response-team, sherold, simaishi, sthangav, tgl, tlestach, trankin
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20181108,reported=20181103,source=upstream,cvss3=8.0/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H,cwe=CWE-89,fedora-all/postgresql=affected,fedora-all/mingw-postgresql=notaffected,epel-7/mingw-postgresql=notaffected,ansible_tower-3/postgresql96-libs=notaffected,openshift-online-3/postgresql96=notaffected,openshift-online-3/postgresql=notaffected,rhscl-3/rh-postgresql96-postgresql=notaffected,rhscl-3/rh-postgresql95-postgresql=notaffected,rhscl-3/rh-postgresql10-postgresql=affected,cfme-5/postgresql96=notaffected,rhev-m-4/rh-postgresql95-postgresql=notaffected,rhev-m-4/postgresql=notaffected,rhn_satellite_5/rh-postgresql95-postgresql=notaffected,rhel-8/postgresql=notaffected,rhel-8/libpq=notaffected,rhel-7/postgresql=notaffected,rhel-6/postgresql=notaffected,rhel-5/postgresql=notaffected
Fixed In Version: postgresql 11.1, postgresql 10.6 Doc Type: If docs needed, set a value
Doc Text:
A SQL Injection flaw has been discovered in PostgreSQL server in the way triggers that enable transition relations are dumped. The transition relation name is not correctly quoted and it may allow an attacker with CREATE privilege on some non-temporary schema or TRIGGER privilege on some table to create a malicious trigger that, when dumped and restored, would result in additional SQL statements being executed.
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-12-03 09:41:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1649239, 1649370, 1649236, 1649237, 1649238, 1649240, 1649369    
Bug Blocks: 1645938    

Description Sam Fowler 2018-11-05 01:33:19 UTC
Postgresql before versions 11.1 and 10.6 are vulnerable to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges, during the next pg_upgrade of the database or the next pg_dump dump/restore cycle. The attack requires CREATE privilege on some non-temporary schema or TRIGGER privilege on some table. This is exploitable in the default configuration, where all users have CREATE privilege on schema "public".

Comment 2 Andrej Nemec 2018-11-13 08:36:39 UTC
External References:

https://www.postgresql.org/about/news/1905/

Comment 3 Andrej Nemec 2018-11-13 08:37:34 UTC
Created mingw-postgresql tracking bugs for this issue:

Affects: epel-7 [bug 1649238]
Affects: fedora-all [bug 1649237]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1649236]

Comment 8 Riccardo Schirone 2018-11-13 13:41:07 UTC
Since postgresql version 10, when creating a trigger you can specify a name to enable transition relations. This name, however, is not properly quoted when dumping the database, allowing to inject SQL code in the dump, which is later run by a superuser to restore the database.

Comment 9 Riccardo Schirone 2018-11-13 13:48:38 UTC
As said in comment 0, the attack requires CREATE privilege on some non-temporary schema or TRIGGER privilege on some table. However, a new user with no special permissions have by default CREATE permissions on the "public" schema, which would allow him to exploit the flaw.

Comment 16 errata-xmlrpc 2018-12-03 08:25:11 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS

Via RHSA-2018:3757 https://access.redhat.com/errata/RHSA-2018:3757

Comment 17 Cedric Buissart 🐶 2018-12-03 13:26:08 UTC
Statement:

This issue did not affect the versions of postgresql as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include support for triggers with `referecing` syntax, which was included in a later version of the program. 

It also doesn't affect the versions of postgresql shipped with CloudForms 4.2, 4.5 and 4.6,  and Satellite 5, for the same reason as above.

This issue did not affect the versions of postgresql shipped within Tower, as there is no code path for Tower users to call the CREATE statement.