Bug 2081126 (CVE-2022-1552) - CVE-2022-1552 postgresql: Autovacuum, REINDEX, and others omit "security restricted operation" sandbox
Summary: CVE-2022-1552 postgresql: Autovacuum, REINDEX, and others omit "security rest...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-1552
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2086614 2086615 2086616 2086617 2086618 2086619 2086620 2086621 2086627 2086628 2086629 2086630 2086631 2086632 2086633 2086634 2086635 2086636 2086637 2086638 2086639 2086640 2086641 2086642 2086643 2086644 2086645 2086646 2086647 2086648 2086649 2086650 2086651 2086652 2086653 2086654 2086655 2086656 2086657 2086658 2086659 2086660 2086661 2086662 2086663 2086664 2086665 2086666 2086667 2086668 2086669 2086670 2086672 2086684 2086685 2086686 2086687 2087572 2087573 2087574
Blocks: 2081125
TreeView+ depends on / blocked
 
Reported: 2022-05-02 20:05 UTC by Patrick Del Bello
Modified: 2022-07-12 13:51 UTC (History)
80 users (show)

Fixed In Version: postgresql 14.3, postgresql 13.7, postgresql 12.11, postgresql 11.16, postgresql 10.21
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.
Clone Of:
Environment:
Last Closed: 2022-06-07 14:49:47 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:4852 0 None None None 2022-05-31 18:45:27 UTC
Red Hat Product Errata RHBA-2022:4968 0 None None None 2022-06-08 17:26:21 UTC
Red Hat Product Errata RHBA-2022:4970 0 None None None 2022-06-08 19:15:21 UTC
Red Hat Product Errata RHBA-2022:4977 0 None None None 2022-06-09 01:09:04 UTC
Red Hat Product Errata RHBA-2022:5183 0 None None None 2022-06-22 18:31:42 UTC
Red Hat Product Errata RHBA-2022:5535 0 None None None 2022-07-07 18:33:33 UTC
Red Hat Product Errata RHBA-2022:5552 0 None None None 2022-07-12 13:51:39 UTC
Red Hat Product Errata RHSA-2022:4771 0 None None None 2022-05-30 08:15:05 UTC
Red Hat Product Errata RHSA-2022:4805 0 None None None 2022-05-30 13:03:03 UTC
Red Hat Product Errata RHSA-2022:4807 0 None None None 2022-05-31 09:17:41 UTC
Red Hat Product Errata RHSA-2022:4854 0 None None None 2022-06-01 20:42:08 UTC
Red Hat Product Errata RHSA-2022:4855 0 None None None 2022-06-01 21:17:44 UTC
Red Hat Product Errata RHSA-2022:4856 0 None None None 2022-06-01 21:17:17 UTC
Red Hat Product Errata RHSA-2022:4857 0 None None None 2022-06-01 21:41:36 UTC
Red Hat Product Errata RHSA-2022:4893 0 None None None 2022-06-04 01:07:42 UTC
Red Hat Product Errata RHSA-2022:4894 0 None None None 2022-06-03 19:17:34 UTC
Red Hat Product Errata RHSA-2022:4895 0 None None None 2022-06-04 01:07:13 UTC
Red Hat Product Errata RHSA-2022:4913 0 None None None 2022-06-06 09:29:31 UTC
Red Hat Product Errata RHSA-2022:4915 0 None None None 2022-06-06 09:26:31 UTC
Red Hat Product Errata RHSA-2022:4929 0 None None None 2022-06-07 11:42:51 UTC
Red Hat Product Errata RHSA-2022:5162 0 None None None 2022-06-22 10:11:15 UTC

Description Patrick Del Bello 2022-05-02 20:05:57 UTC 
Vulnerability details:


* Autovacuum, REINDEX, and others omit "security restricted operation" sandbox.

CVSS v3 Base Score: 8.8
   [https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H]

Supported, Vulnerable Versions: 10 - 14.  The security team typically does
  not test unsupported versions, but this problem is quite old.

Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and
pg_amcheck made incomplete efforts to operate safely when a privileged user is
maintaining another user's objects.  Those commands activated relevant
protections too late or not at all.  An attacker having permission to create
non-temp objects in at least one schema could execute arbitrary SQL functions
under a superuser identity.

While promptly updating PostgreSQL is the best remediation for most users, a
user unable to do that can work around the vulnerability by disabling
autovacuum, not manually running the above commands, and not restoring from
output of the pg_dump command.  Performance may degrade quickly under this
workaround.  VACUUM is safe, and all commands are fine when a trusted user
owns the target object.

The PostgreSQL project thanks Alexander Lakhin for reporting this problem.
Comment 3 Patrick Del Bello 2022-05-16 12:41:22 UTC 
Created mingw-postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2086617]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2086615]


Created postgresql:10/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2086614]


Created postgresql:11/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2086619]


Created postgresql:12/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2086618]


Created postgresql:13/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2086621]


Created postgresql:14/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2086620]


Created postgresql:9.6/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2086616]
Comment 9 Tomas Hoger 2022-05-19 08:11:08 UTC 
Upstream advisory:
https://www.postgresql.org/support/security/CVE-2022-1552/

Upstream announcement of 14.3, 13.7, 12.11, 11.16, and 10.21 releases fixing this issue:
https://www.postgresql.org/about/news/postgresql-143-137-1211-1116-and-1021-released-2449/

Upstream commits (master branch):
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a117cebd638dd02e5c2e791c25e43745f233111b
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=0abc1a059e27c5a71a1a186c97d9c0af407469cc
Comment 15 errata-xmlrpc 2022-05-30 08:15:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:4771 https://access.redhat.com/errata/RHSA-2022:4771
Comment 16 errata-xmlrpc 2022-05-30 13:02:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:4805 https://access.redhat.com/errata/RHSA-2022:4805
Comment 17 errata-xmlrpc 2022-05-31 09:17:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:4807 https://access.redhat.com/errata/RHSA-2022:4807
Comment 21 errata-xmlrpc 2022-06-01 20:42:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:4854 https://access.redhat.com/errata/RHSA-2022:4854
Comment 22 errata-xmlrpc 2022-06-01 21:17:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:4856 https://access.redhat.com/errata/RHSA-2022:4856
Comment 23 errata-xmlrpc 2022-06-01 21:17:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:4855 https://access.redhat.com/errata/RHSA-2022:4855
Comment 24 errata-xmlrpc 2022-06-01 21:41:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:4857 https://access.redhat.com/errata/RHSA-2022:4857
Comment 26 errata-xmlrpc 2022-06-03 19:17:29 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2022:4894 https://access.redhat.com/errata/RHSA-2022:4894
Comment 27 errata-xmlrpc 2022-06-04 01:07:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:4895 https://access.redhat.com/errata/RHSA-2022:4895
Comment 28 errata-xmlrpc 2022-06-04 01:07:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:4893 https://access.redhat.com/errata/RHSA-2022:4893
Comment 29 errata-xmlrpc 2022-06-06 09:26:26 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:4915 https://access.redhat.com/errata/RHSA-2022:4915
Comment 30 errata-xmlrpc 2022-06-06 09:29:25 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:4913 https://access.redhat.com/errata/RHSA-2022:4913
Comment 31 errata-xmlrpc 2022-06-07 11:42:46 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:4929 https://access.redhat.com/errata/RHSA-2022:4929
Comment 32 Product Security DevOps Team 2022-06-07 14:49:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-1552
Comment 33 errata-xmlrpc 2022-06-22 10:11:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2022:5162 https://access.redhat.com/errata/RHSA-2022:5162
Note You need to log in before you can comment on or make changes to this bug.