Bug 1547044 (CVE-2018-1058) - CVE-2018-1058 postgresql: Uncontrolled search path element in pg_dump and other client applications
Summary: CVE-2018-1058 postgresql: Uncontrolled search path element in pg_dump and oth...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1058
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180301,repor...
Depends On: 1550902 1549755 1549756 1549759 1549760 1550901 1550903 1550904
Blocks: 1547046
TreeView+ depends on / blocked
 
Reported: 2018-02-20 12:09 UTC by Pedro Sampaio
Modified: 2019-08-14 12:24 UTC (History)
59 users (show)

Fixed In Version: postgresql 10.3, postgresql 9.6.8, postgresql 9.5.12, postgresql 9.4.17, postgresql 9.3.22
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:40:28 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2511 None None None 2018-08-20 10:50:51 UTC
Red Hat Product Errata RHSA-2018:2566 None None None 2018-08-27 08:34:46 UTC
Red Hat Product Errata RHSA-2018:3816 None None None 2018-12-13 15:15:20 UTC

Description Pedro Sampaio 2018-02-20 12:09:54 UTC
From upstream advisory:

Supported, Vulnerable Versions: 9.3 - 10. The security team typically does
not test unsupported versions, but this problem is quite old.

The PostgreSQL search_path setting determines schemas searched for tables,
functions, operators, etc. The pg_dump client application chooses search_path
settings such that every schema may appear at the front of its search path.
This permits a user with CREATE privilege on any schema to execute arbitrary
SQL functions under the identity of the user running pg_dump, often a
superuser. This is exploitable in the default configuration, where all users
have CREATE privilege on schema "public". The pg_upgrade implementation
invokes pg_dump under a superuser identity, and its usage is vulnerable.

Other client applications, such as vacuumdb, leave search_path unchanged. In
the default configuration, users can create objects in the "public" schema and
harness them to execute arbitrary SQL functions under the identity of the user
running these programs. The PostgreSQL project estimates this class of
vulnerability is pervasive in applications that query PostgreSQL databases, so
we are issuing guidance for database administrators and application authors to
secure their own work. In brief, one can issue "REVOKE CREATE ON SCHEMA
public FROM PUBLIC" to prevent these attacks.

Comment 1 Jason Shepherd 2018-02-22 05:52:04 UTC
Both RHMAP services unified-push-server, and millicore don't use a Postgres database. Marking them as not affected.

Comment 2 Jason Shepherd 2018-02-22 06:05:09 UTC
JON does not include a Postgres database, but does use one. Upgrading the database to 9.5.12 to pick up a fix for this issue would be a good idea for JON users, and will not break compatibility.

https://access.redhat.com/documentation/en-us/red_hat_jboss_operations_network/3.3/html/installation_guide/setting-up-dbs

Comment 7 Huzaifa S. Sidhpurwala 2018-03-02 08:36:44 UTC
External References:

https://www.postgresql.org/about/news/1834/

Comment 8 Huzaifa S. Sidhpurwala 2018-03-02 08:38:59 UTC
Created mingw-postgresql tracking bugs for this issue:

Affects: epel-7 [bug 1550902]
Affects: fedora-all [bug 1550903]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1550901]

Comment 23 Huzaifa S. Sidhpurwala 2018-05-04 04:39:39 UTC
Mitigation:

Upstream suggests the following mitigation can be used to protect against this security flaw: 
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path

Comment 25 Andrej Nemec 2018-05-14 14:00:47 UTC
Statement:

This issue affects the versions of Postgresql as shipped with Red Hat Satellite 5. Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

Comment 26 errata-xmlrpc 2018-08-20 10:50:35 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2511 https://access.redhat.com/errata/RHSA-2018:2511

Comment 27 errata-xmlrpc 2018-08-27 08:34:31 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2566 https://access.redhat.com/errata/RHSA-2018:2566

Comment 28 errata-xmlrpc 2018-12-13 15:15:18 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.9

Via RHSA-2018:3816 https://access.redhat.com/errata/RHSA-2018:3816


Note You need to log in before you can comment on or make changes to this bug.