Bug 1612619 - (CVE-2018-10925) CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements
CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INS...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20180809,repo...
: Security
Depends On: 1612669 1612670 1612671 1612672 1612673 1612674 1612684 1614396 1614397 1614399 1614582 1612675 1612676 1614402 1614795 1614796 1614797
Blocks: 1612620
  Show dependency treegraph
 
Reported: 2018-08-05 21:13 EDT by Sam Fowler
Modified: 2018-08-14 05:01 EDT (History)
62 users (show)

See Also:
Fixed In Version: postgresql 10.5, postgresql 9.6.10, postgresql 9.5.14
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sam Fowler 2018-08-05 21:13:17 EDT
PostgreSQL before versions 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 do not properly authorize certain statements. A attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using INSERT ... ON CONFLICT DO UPDATE. By default, any user can exploit that. If such an attacker also has certain INSERT privileges and has UPDATE privilege on at least one column of a given table, a data integrity attack is possible. The attacker can update other columns, for which the attacker lacks UPDATE privilege.
Comment 1 Doran Moppert 2018-08-06 01:23:00 EDT
"ON CONFLICT DO UPDATE" was introduced in PostgreSQL 9.5; versions 9.4 and earlier do not support this feature and thus are not vulnerable to this CVE.

Earlier versions were mentioned in the previous comment as this is part of a combined upstream security update, also including CVE-2018-10915.
Comment 2 Doran Moppert 2018-08-06 02:10:49 EDT
Statement:

Red Hat Virtualization includes vulnerable versions of postgresql. However this flaw is not known to be exploitable under any supported configuration of Red Hat Virtualization. A future update may address this issue.
Comment 5 Doran Moppert 2018-08-09 01:52:01 EDT
Acknowledgments:

Name: the PostgreSQL project
Comment 6 Doran Moppert 2018-08-09 10:22:49 EDT
External References:

https://www.postgresql.org/about/news/1878/
Comment 7 Doran Moppert 2018-08-09 10:23:48 EDT
Created mingw-postgresql tracking bugs for this issue:

Affects: epel-7 [bug 1614397]
Affects: fedora-all [bug 1614399]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1614402]
Comment 10 Borja Tarraso 2018-08-10 08:33:06 EDT
Tower is affected as is using a vulnerable PostgreSQL version. Tower will embedded the fixed version in their next releases (3.1.8 and 3.2.6)

Note You need to log in before you can comment on or make changes to this bug.