2165722 – (CVE-2022-41862) CVE-2022-41862 postgresql: Client memory disclosure when connecting with Kerberos to modified server

Bug 2165722 (CVE-2022-41862) - CVE-2022-41862 postgresql: Client memory disclosure when connecting with Kerberos to modified server

Summary: CVE-2022-41862 postgresql: Client memory disclosure when connecting with Kerb...

Keywords:
Status:	NEW
Alias:	CVE-2022-41862
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2171366 2171367 2171368 2171369 2171370 2173998 2174356 2165882 2165883 2165884 2170071 2171365
Blocks:	2165723 2165725
TreeView+	depends on / blocked

Reported:	2023-01-30 20:54 UTC by Pedro Sampaio
Modified:	2023-03-21 17:35 UTC (History)
CC List:	60 users (show)
Fixed In Version:	postgresql 5.2, postgresql 14.7, postgresql 13.10, postgresql 12.14, postgresql 11.19
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found In PostgreSQL. A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions, a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Pedro Sampaio 2023-01-30 20:54:18 UTC

A modified, unauthenticated server can send an unterminated string during the
establishment of Kerberos transport encryption. When a libpq client
application has a Kerberos credential cache and doesn't explicitly disable
option "gssencmode", a server can cause libpq to over-read and report an error
message containing uninitialized bytes from and following its receive buffer.
If libpq's caller somehow makes that message accessible to the attacker, this
achieves a disclosure of the over-read bytes. We have not confirmed or ruled
out viability of attacks that arrange for a crash or for presence of notable,
confidential information in disclosed bytes.

Comment 4 Dhananjay Arunesh 2023-02-15 15:07:04 UTC

Created postgresql-jdbc tracking bugs for this issue:

Affects: fedora-all [bug 2170071]

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alampare
alazarot
anstephe
avibelli
balejosg
bgeorges
boliveir
caolanm
caswilli
chazlett
clement.escoffier
dandread
databases-maint
dhanak
dkreling
emingora
eric.wittmann
fjanus
fmongiar
ggastald
gjospin
gmalinko
gsmet
hamadhan
hbraun
hhorak
ibek
janstey
jmartisk
jnethert
jpavlik
jrokos
jwon
kaycoth
kverlaen
kyoshida
lbacciot
lthon
max.andersen
mnovotny
pantinor
pdelbell
pdrozd
peholase
pgallagh
pjindal
pkubat
praiskup
probinso
pskopek
rguimara
rrajasek
rruss
rsvoboda
sbiarozk
sdouglas
security-response-team
sthorger
zmiklank