Bug 1734416 (CVE-2019-10208)
Summary: | CVE-2019-10208 postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | msiddiqu |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | akoufoud, alazarot, almorale, anon.amish, anstephe, asakala, bkearney, cbuissar, databases-maint, dblechte, ddj_luo, devrim, dfediuck, eedri, etirelli, hhorak, ibek, jmlich83, jorton, krathod, kverlaen, mgoldboi, michal.skrivanek, mike, mnovotny, mperina, panovotn, paradhya, pkajaba, pkubat, praiskup, puebele, rrajasek, rsynek, sbonazzo, sdaley, security-response-team, sherold, sisharma, tgl, tlestach, trupti_pardeshi, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | postgresql 11.5, postgresql 10.10, postgresql 9.6.15, postgresql 9.5.19, postgresql 9.4.24 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-08 13:18:03 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1739211, 1739215, 1739217, 1741488, 1741489, 1741490, 1741492, 1741493, 1857226, 1872762, 1881769, 1881777, 1909706, 1909707, 1909717, 1909718, 1909719 | ||
Bug Blocks: | 1734467 |
Description
msiddiqu
2019-07-30 13:52:35 UTC
Acknowledgments: Name: the PostgreSQL project Upstream: Tom Lane The following products only contain the JBDC postgresql driver, not the server and are not affected: * Red Hat Decision Manager * Red Hat Process Automation Manager Created mingw-postgresql tracking bugs for this issue: Affects: epel-7 [bug 1739217] Affects: fedora-all [bug 1739211] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 1739215] External References: https://www.postgresql.org/about/news/1960/ Red Hat Gluster Storage 3 ships JDBC part of postgresql embedded in rhevm-dependencies, hence not affected. Upstream fixes per branches : 9.4 : https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=8673743 9.5 : https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=752fa3d 9.6 : https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=7da4619 10 : https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=2062007 11 : https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=21f94c5 Hello, May I know if Linux PostgreSQL 7.1beta6 version is also affected by this vulnerability and requires the fix? Any heads up will be appreciated. Thank you in advance. Best Regards, Mitigation: If your use case requires SECURITY DEFINER functions, please follow the advice below to write them safely so they do not rely on search_path and restrict the set of users which can access them. https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY (In reply to Trupti Pardeshi from comment #12) > May I know if Linux PostgreSQL 7.1beta6 version is also affected by this > vulnerability and requires the fix? Any heads up will be appreciated. Hi, PostgreSQL 7.1 has not been tested. I believe that this version does not support SECURITY DEFINER (as far as I know, it was a new feature from 7.3). If so, then 7.1 might not be vulnerable. Statement: Red Hat Virtualization Management Appliance included affected versions of postgresql, however no custom SECURITY DEFINER functions are declared so this vulnerability can not be exploited in the default configuration. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:3669 https://access.redhat.com/errata/RHSA-2020:3669 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10208 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2020:4295 https://access.redhat.com/errata/RHSA-2020:4295 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:5619 https://access.redhat.com/errata/RHSA-2020:5619 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:5661 https://access.redhat.com/errata/RHSA-2020:5661 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:5664 https://access.redhat.com/errata/RHSA-2020:5664 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:0164 https://access.redhat.com/errata/RHSA-2021:0164 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0166 https://access.redhat.com/errata/RHSA-2021:0166 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:0167 https://access.redhat.com/errata/RHSA-2021:0167 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:1512 https://access.redhat.com/errata/RHSA-2021:1512 |