Bug 2263384 (CVE-2024-0985)

Summary:	CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL
Product:	[Other] Security Response	Reporter:	Robb Gatica <rgatica>
Component:	vulnerability	Assignee:	Product Security <prodsec-ir-bot>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	aarif, adupliak, aileenc, aprice, caswilli, ccranfor, chazlett, dhanak, dsimansk, eric.wittmann, fjansen, fjanus, gmalinko, hhorak, hkataria, janstey, jorton, jpechane, kaycoth, kingland, kshier, kverlaen, kyoshida, matzew, mnovotny, mpierce, orabin, pantinor, pdelbell, pierdipi, pjindal, pkubat, psegedy, rguimara, rhuss, saroy
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	postgresql 12.18, postgresql 13.14, postgresql 14.11, postgresql 15.6	Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in PostgreSQL. A late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL can allow an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling a safe refresh of untrusted materialized views. The attack requires luring the victim, a superuser or member of one of the attacker's roles, into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2263411, 2263412, 2263493, 2265976, 2265977, 2265978, 2265979, 2265980, 2265981
Bug Blocks:	2263382

Description Robb Gatica 2024-02-08 16:33:57 UTC

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.

Affected Versions: 12, 13, 14, 15
Fixed in: 12.18, 13.14, 14.11, 15.6

References:
https://www.postgresql.org/support/security/CVE-2024-0985/

Comment 8 errata-xmlrpc 2024-02-22 15:46:22 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0950 https://access.redhat.com/errata/RHSA-2024:0950

Comment 9 errata-xmlrpc 2024-02-22 16:26:11 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0951 https://access.redhat.com/errata/RHSA-2024:0951

Comment 10 errata-xmlrpc 2024-02-26 01:36:48 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0956 https://access.redhat.com/errata/RHSA-2024:0956

Comment 11 errata-xmlrpc 2024-02-26 02:25:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0973 https://access.redhat.com/errata/RHSA-2024:0973

Comment 12 errata-xmlrpc 2024-02-26 02:54:00 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0974 https://access.redhat.com/errata/RHSA-2024:0974

Comment 13 errata-xmlrpc 2024-02-26 03:28:47 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0975 https://access.redhat.com/errata/RHSA-2024:0975

Comment 14 Sandipan Roy 2024-02-26 06:13:43 UTC

Created mingw-postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2265977]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2265976]


Created postgresql:12/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2265978]


Created postgresql:13/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2265979]


Created postgresql:14/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2265980]


Created postgresql:15/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2265981]

Comment 15 errata-xmlrpc 2024-02-26 14:54:56 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2024:0988 https://access.redhat.com/errata/RHSA-2024:0988

Comment 16 errata-xmlrpc 2024-02-26 17:08:04 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2024:0990 https://access.redhat.com/errata/RHSA-2024:0990

Comment 17 errata-xmlrpc 2024-02-26 17:08:29 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2024:0992 https://access.redhat.com/errata/RHSA-2024:0992

Comment 18 errata-xmlrpc 2024-02-28 11:47:35 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1017 https://access.redhat.com/errata/RHSA-2024:1017

Comment 19 errata-xmlrpc 2024-03-04 19:37:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:1071 https://access.redhat.com/errata/RHSA-2024:1071

Comment 20 errata-xmlrpc 2024-03-04 19:38:08 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1069 https://access.redhat.com/errata/RHSA-2024:1069

Comment 21 errata-xmlrpc 2024-03-04 19:38:20 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1070 https://access.redhat.com/errata/RHSA-2024:1070

Comment 22 errata-xmlrpc 2024-03-06 16:35:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1195 https://access.redhat.com/errata/RHSA-2024:1195

Comment 23 errata-xmlrpc 2024-03-11 15:19:24 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:1240 https://access.redhat.com/errata/RHSA-2024:1240

Comment 24 errata-xmlrpc 2024-03-11 15:19:38 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1241 https://access.redhat.com/errata/RHSA-2024:1241

Comment 25 errata-xmlrpc 2024-03-13 13:41:51 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1314 https://access.redhat.com/errata/RHSA-2024:1314

Comment 26 errata-xmlrpc 2024-03-13 13:46:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1315 https://access.redhat.com/errata/RHSA-2024:1315

Comment 27 errata-xmlrpc 2024-03-18 01:20:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:1348 https://access.redhat.com/errata/RHSA-2024:1348

Comment 28 errata-xmlrpc 2024-03-19 17:32:26 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:1422 https://access.redhat.com/errata/RHSA-2024:1422

Comment 29 errata-xmlrpc 2024-03-19 18:03:37 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1426 https://access.redhat.com/errata/RHSA-2024:1426

Comment 30 errata-xmlrpc 2024-03-19 18:05:16 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1429 https://access.redhat.com/errata/RHSA-2024:1429

Comment 31 errata-xmlrpc 2024-03-19 18:13:28 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1428 https://access.redhat.com/errata/RHSA-2024:1428

Comment 32 errata-xmlrpc 2024-03-20 09:36:50 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:1437 https://access.redhat.com/errata/RHSA-2024:1437