Bug 2165722 (CVE-2022-41862) - CVE-2022-41862 postgresql: Client memory disclosure when connecting with Kerberos to modified server
Summary: CVE-2022-41862 postgresql: Client memory disclosure when connecting with Kerb...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-41862
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2171366 2171367 2171368 2171369 2171370 2165882 2165883 2165884 2170071 2171365 2173998 2174356 2225251
Blocks: 2165723 2165725
TreeView+ depends on / blocked
 
Reported: 2023-01-30 20:54 UTC by Pedro Sampaio
Modified: 2023-08-10 10:33 UTC (History)
60 users (show)

Fixed In Version: postgresql 5.2, postgresql 14.7, postgresql 13.10, postgresql 12.14, postgresql 11.19
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found In PostgreSQL. A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions, a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
Clone Of:
Environment:
Last Closed: 2023-04-11 19:36:02 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1576 0 None None None 2023-04-04 09:47:00 UTC
Red Hat Product Errata RHSA-2023:1693 0 None None None 2023-04-11 14:24:21 UTC
Red Hat Product Errata RHSA-2023:4535 0 None None None 2023-08-08 08:37:53 UTC

Description Pedro Sampaio 2023-01-30 20:54:18 UTC 
A modified, unauthenticated server can send an unterminated string during the
establishment of Kerberos transport encryption. When a libpq client
application has a Kerberos credential cache and doesn't explicitly disable
option "gssencmode", a server can cause libpq to over-read and report an error
message containing uninitialized bytes from and following its receive buffer.
If libpq's caller somehow makes that message accessible to the attacker, this
achieves a disclosure of the over-read bytes. We have not confirmed or ruled
out viability of attacks that arrange for a crash or for presence of notable,
confidential information in disclosed bytes.
Comment 4 Dhananjay Arunesh 2023-02-15 15:07:04 UTC 
Created postgresql-jdbc tracking bugs for this issue:

Affects: fedora-all [bug 2170071]
Comment 8 errata-xmlrpc 2023-04-04 09:46:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1576 https://access.redhat.com/errata/RHSA-2023:1576
Comment 9 errata-xmlrpc 2023-04-11 14:24:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1693 https://access.redhat.com/errata/RHSA-2023:1693
Comment 10 Product Security DevOps Team 2023-04-11 19:35:58 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-41862
Comment 13 errata-xmlrpc 2023-08-08 08:37:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4535 https://access.redhat.com/errata/RHSA-2023:4535
Note You need to log in before you can comment on or make changes to this bug.