Bug 2326263 (CVE-2024-10976)

Summary: CVE-2024-10976 postgresql: PostgreSQL row security below e.g. subqueries disregards user ID changes
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in PostgreSQL. This vulnerability allows incorrect row-level security policies to be applied via subqueries, WITH queries, security invoker views, or SQL-language functions that reference tables with row-level security policies. This issue arises when a query is planned under one role and executed under another, potentially leading to unauthorized reads or modifications of data.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2326462, 2326463, 2326464, 2326456, 2326457, 2326458, 2326459, 2326460, 2326461    
Bug Blocks:    

Description OSIDB Bzimport 2024-11-14 14:02:15 UTC 
Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended.  CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes.  They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy.  This has the same consequences as the two earlier CVEs.  That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles.  This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs.  Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications.  This affects only databases that have used CREATE POLICY to define a row security policy.  An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies.  Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Comment 2 errata-xmlrpc 2024-12-04 08:43:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10785 https://access.redhat.com/errata/RHSA-2024:10785
Comment 3 errata-xmlrpc 2024-12-04 09:19:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10788 https://access.redhat.com/errata/RHSA-2024:10788
Comment 4 errata-xmlrpc 2024-12-04 09:20:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10787 https://access.redhat.com/errata/RHSA-2024:10787
Comment 5 errata-xmlrpc 2024-12-04 15:35:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:10791 https://access.redhat.com/errata/RHSA-2024:10791
Comment 6 errata-xmlrpc 2024-12-05 09:08:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10830 https://access.redhat.com/errata/RHSA-2024:10830
Comment 7 errata-xmlrpc 2024-12-05 09:08:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10832 https://access.redhat.com/errata/RHSA-2024:10832
Comment 8 errata-xmlrpc 2024-12-05 09:08:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10831 https://access.redhat.com/errata/RHSA-2024:10831