Vulnerability details: * Autovacuum, REINDEX, and others omit "security restricted operation" sandbox. CVSS v3 Base Score: 8.8 [https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H] Supported, Vulnerable Versions: 10 - 14. The security team typically does not test unsupported versions, but this problem is quite old. Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck made incomplete efforts to operate safely when a privileged user is maintaining another user's objects. Those commands activated relevant protections too late or not at all. An attacker having permission to create non-temp objects in at least one schema could execute arbitrary SQL functions under a superuser identity. While promptly updating PostgreSQL is the best remediation for most users, a user unable to do that can work around the vulnerability by disabling autovacuum, not manually running the above commands, and not restoring from output of the pg_dump command. Performance may degrade quickly under this workaround. VACUUM is safe, and all commands are fine when a trusted user owns the target object. The PostgreSQL project thanks Alexander Lakhin for reporting this problem.
Created mingw-postgresql tracking bugs for this issue: Affects: fedora-all [bug 2086617] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 2086615] Created postgresql:10/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2086614] Created postgresql:11/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2086619] Created postgresql:12/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2086618] Created postgresql:13/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2086621] Created postgresql:14/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2086620] Created postgresql:9.6/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2086616]
Upstream advisory: https://www.postgresql.org/support/security/CVE-2022-1552/ Upstream announcement of 14.3, 13.7, 12.11, 11.16, and 10.21 releases fixing this issue: https://www.postgresql.org/about/news/postgresql-143-137-1211-1116-and-1021-released-2449/ Upstream commits (master branch): https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a117cebd638dd02e5c2e791c25e43745f233111b https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=0abc1a059e27c5a71a1a186c97d9c0af407469cc
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:4771 https://access.redhat.com/errata/RHSA-2022:4771
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:4805 https://access.redhat.com/errata/RHSA-2022:4805
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:4807 https://access.redhat.com/errata/RHSA-2022:4807
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:4854 https://access.redhat.com/errata/RHSA-2022:4854
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:4856 https://access.redhat.com/errata/RHSA-2022:4856
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:4855 https://access.redhat.com/errata/RHSA-2022:4855
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:4857 https://access.redhat.com/errata/RHSA-2022:4857
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions Via RHSA-2022:4894 https://access.redhat.com/errata/RHSA-2022:4894
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:4895 https://access.redhat.com/errata/RHSA-2022:4895
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2022:4893 https://access.redhat.com/errata/RHSA-2022:4893
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:4915 https://access.redhat.com/errata/RHSA-2022:4915
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:4913 https://access.redhat.com/errata/RHSA-2022:4913
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:4929 https://access.redhat.com/errata/RHSA-2022:4929
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-1552
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2022:5162 https://access.redhat.com/errata/RHSA-2022:5162