Bug 1956877 (CVE-2021-32028)

Summary: CVE-2021-32028 postgresql: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE
Product: [Other] Security Response Reporter: Michael Kaplan <mkaplan>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aboyko, aileenc, akoufoud, alazarot, almorale, anon.amish, anstephe, asoldano, atangrin, avibelli, bbaranow, bgeorges, bmaxwell, brian.stansberry, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, databases-maint, devrim, dkreling, dosoudil, drieden, eleandro, etirelli, fjanus, fjuma, ggaughan, gmalinko, gsmet, hamadhan, hhorak, ibek, iweiss, janstey, jmlich83, jochrist, jorton, jpallich, jperkins, jstastny, jwon, kaycoth, krathod, kverlaen, kwills, lgao, lthon, mcascell, mike, mnovotny, msochure, msvehla, mszynkie, nwallace, panovotn, peholase, pgallagh, pjindal, pkubat, pmackay, praiskup, probinso, rguimara, rrajasek, rruss, rstancel, rsvoboda, sbiarozk, sdouglas, security-response-team, smaestri, tgl, tom.jenkinson, tzimanyi, yborgess
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: postgresql 13.3, postgresql 12.7, postgresql 11.12, postgresql 10.17, postgresql 9.6.22 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-09 15:05:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1962787, 1962788, 1962789, 1962790, 1962791, 1962792, 1962793, 1962805, 1962806, 1962807, 1962808, 1962809, 1962810, 1966208, 1966209, 1966210, 1966211, 1966212, 1966213, 1966214, 1966215, 1967308, 1967309, 1967551    
Bug Blocks: 1956885, 1956886, 1972612    

Description Michael Kaplan 2021-05-04 15:21:16 UTC 
Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted
table, an attacker can read arbitrary bytes of server memory.  In the default
configuration, any authenticated database user can create prerequisite objects
and complete this attack at will.  A user lacking the CREATE and TEMPORARY
privileges on all databases and the CREATE privilege on all schemas cannot use
this attack at will.
Comment 3 Mauro Matteo Cascella 2021-05-20 14:37:21 UTC 
Upstream fix:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=049e1e2edb06854d7cd9460c22516efaa165fbf8 [master]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=4a8656a7ee0c155b0249376af58eb3fc3a90415f [REL_13_STABLE]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=a5fa3e0671474411ad81600a8f2b4800a4464afc [REL_12_STABLE]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=b7d1f32ff6588be99844c140ec1aacb6e44f4b84 [REL_11_STABLE]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=52a4413627319980843bb8f375f28c7f01c45e18 [REL_10_STABLE]
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=0fcb8e2e0154dedea5c3c7da6dd2cffb731aac06 [REL9_6_STABLE]
Comment 4 Mauro Matteo Cascella 2021-05-20 15:59:03 UTC 
Created mingw-postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1962791]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1962790]


Created postgresql:10/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1962789]


Created postgresql:11/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1962788]


Created postgresql:12/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1962787]


Created postgresql:13/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1962793]


Created postgresql:9.6/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1962792]
Comment 7 Mauro Matteo Cascella 2021-06-03 19:59:22 UTC 
Upstream advisory:
https://www.postgresql.org/support/security/CVE-2021-32028/
Comment 9 errata-xmlrpc 2021-06-09 12:01:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2360 https://access.redhat.com/errata/RHSA-2021:2360
Comment 10 errata-xmlrpc 2021-06-09 12:13:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2361 https://access.redhat.com/errata/RHSA-2021:2361
Comment 11 Product Security DevOps Team 2021-06-09 15:05:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-32028
Comment 12 errata-xmlrpc 2021-06-10 10:07:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2372 https://access.redhat.com/errata/RHSA-2021:2372
Comment 13 errata-xmlrpc 2021-06-10 11:20:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2375 https://access.redhat.com/errata/RHSA-2021:2375
Comment 14 errata-xmlrpc 2021-06-14 07:47:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2392 https://access.redhat.com/errata/RHSA-2021:2392
Comment 15 errata-xmlrpc 2021-06-14 07:50:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:2393 https://access.redhat.com/errata/RHSA-2021:2393
Comment 16 errata-xmlrpc 2021-06-14 08:53:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2389 https://access.redhat.com/errata/RHSA-2021:2389
Comment 17 errata-xmlrpc 2021-06-14 08:54:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2391 https://access.redhat.com/errata/RHSA-2021:2391
Comment 18 errata-xmlrpc 2021-06-14 08:55:54 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2395 https://access.redhat.com/errata/RHSA-2021:2395
Comment 19 errata-xmlrpc 2021-06-14 09:07:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2390 https://access.redhat.com/errata/RHSA-2021:2390
Comment 20 errata-xmlrpc 2021-06-14 09:17:41 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2394 https://access.redhat.com/errata/RHSA-2021:2394
Comment 21 errata-xmlrpc 2021-06-14 09:25:52 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:2396 https://access.redhat.com/errata/RHSA-2021:2396