Bug 1622225 (CVE-2018-10936)

Summary: CVE-2018-10936 PostgreSQL: Postgres JDBC driver does not perform host name validation by default
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abhgupta, bmcclain, cbyrne, cmacedo, dajohnso, databases-maint, dbaker, dblechte, dfediuck, dffrench, dmetzger, dmoppert, drusso, eedri, gblomqui, gmainwar, gmccullo, gtanzill, hhorak, jfrey, jhardy, jlaska, jmadigan, jokerman, jprause, jshepherd, kdixon, lgriffin, mgoldboi, michal.skrivanek, ngough, obarenbo, pkajaba, pkubat, praiskup, pwright, roliveri, sbonazzo, security-response-team, sherold, simaishi, sthangav, tgl, trankin, trepel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20180827,reported=20180824,source=upstream,cvss3=8.1/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-297,openshift-online-3/postgresql=notaffected,openshift-online-3/postgresql96=notaffected,ansible_tower-3/postgresql96=notaffected,cfme-5/postgresql94=notaffected,rhmap-4/millicore=notaffected,rhev-m-4/postgresql-jdbc=wontfix,rhel-6/postgresql-jdbc=wontfix,rhel-7/postgresql-jdbc=affected,rhel-8/postgresql-jdbc=affected,fedora-all/postgresql-jdbc=affected
Fixed In Version: postgresql-jdbc 42.2.5 Doc Type: If docs needed, set a value
Doc Text:
A weakness was found in postgresql-jdbc. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1623713, 1623714, 1664337    
Bug Blocks: 1622227    

Description Pedro Sampaio 2018-08-24 19:35:23 UTC
# The Postgres JDBC driver does not perform hostname validation by default
## Vulnerability

* Product : PostgreSQL
* Component : client / JDBC Driver (Tested version:
org.postgresql:postgresql:jar:42.2.4)
* Common Weakness : 297 (Improper Validation of Certificate with Host
Mismatch)

The PostgreSQL JDBC driver (org.postgresql:postgresql) does not perform
hostname validation by default.

=> This means that SSL certificates of other hosts are blindly accepted as
long as they are trusted.

To exploit this vulnerability an attacker has to perform a
man-in-the-middle (MITM) attack between a Java application using the JDBC
driver and the PostgreSQL server it's connecting to.

=> TLS normally protects users and systems against MITM attacks, it cannot
if certificates from other trusted hosts are accepted by the client. This
is especially dangerous if users connect to their database via public
networks (e.g. Internet).

References:

https://www.postgresql.org/about/news/1883/

Comment 1 Pedro Sampaio 2018-08-24 19:35:48 UTC
Acknowledgments:

Name: the PostgreSQL project

Comment 2 Doran Moppert 2018-08-30 01:20:00 UTC
Upstream down-rated the severity of this issue on making it public.  The default configuration in fact would validate host names, but it was possible to provide an SSLFactory that would not.  In 42.2.5, the documentation and API has been improved for clarity to avoid this mistake.

Comment 3 Doran Moppert 2018-08-30 01:20:25 UTC
External References:

https://www.postgresql.org/about/news/1883/

Comment 5 Borja Tarraso 2018-10-15 08:44:45 UTC
Tower does not use any java stuff or any JDBC driver at all.

Comment 6 Richard Maciel Costa 2018-11-22 12:53:21 UTC
CloudForms does not use java (it isn't even installed in the appliance), hence it is not affected.

Comment 7 Cedric Buissart 🐶 2019-01-08 13:53:51 UTC
Created postgresql-jdbc tracking bugs for this issue:

Affects: fedora-all [bug 1664337]

Comment 9 Doran Moppert 2019-04-09 00:44:18 UTC
Mitigation:

Applications using postgresql-jdbc should have their SSL configuration reviewed to ensure that host name verification is not disabled and only trusted CAs are accepted.

This vulnerability only impacts usage of postgresql-jdbc with a non-default SSL Factory, provided by the `sslfactory` parameter. If this parameter is not given, the default LibPQFactory is used, which is not vulnerable.