Bug 1612619 (CVE-2018-10925) - CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements
Summary: CVE-2018-10925 postgresql: Missing authorization and memory disclosure in INS...
Status: NEW
Alias: CVE-2018-10925
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20180809,repo...
Keywords: Security
Depends On: 1614396 1614397 1614399 1612669 1612670 1612671 1612672 1612673 1612674 1612675 1612676 1612684 1614402 1614582 1614795 1614796 1614797 1622783 1622784
Blocks: 1612620
TreeView+ depends on / blocked
 
Reported: 2018-08-06 01:13 UTC by Sam Fowler
Modified: 2018-12-13 15:15 UTC (History)
61 users (show)

Fixed In Version: postgresql 10.5, postgresql 9.6.10, postgresql 9.5.14
Doc Type: If docs needed, set a value
Doc Text:
It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2511 None None None 2018-08-20 10:51 UTC
Red Hat Product Errata RHSA-2018:2565 None None None 2018-08-27 08:21 UTC
Red Hat Product Errata RHSA-2018:2566 None None None 2018-08-27 08:35 UTC
Red Hat Product Errata RHSA-2018:3816 None None None 2018-12-13 15:15 UTC

Description Sam Fowler 2018-08-06 01:13:17 UTC
PostgreSQL before versions 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 do not properly authorize certain statements. A attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using INSERT ... ON CONFLICT DO UPDATE. By default, any user can exploit that. If such an attacker also has certain INSERT privileges and has UPDATE privilege on at least one column of a given table, a data integrity attack is possible. The attacker can update other columns, for which the attacker lacks UPDATE privilege.

Comment 1 Doran Moppert 2018-08-06 05:23:00 UTC
"ON CONFLICT DO UPDATE" was introduced in PostgreSQL 9.5; versions 9.4 and earlier do not support this feature and thus are not vulnerable to this CVE.

Earlier versions were mentioned in the previous comment as this is part of a combined upstream security update, also including CVE-2018-10915.

Comment 5 Doran Moppert 2018-08-09 05:52:01 UTC
Acknowledgments:

Name: the PostgreSQL project

Comment 6 Doran Moppert 2018-08-09 14:22:49 UTC
External References:

https://www.postgresql.org/about/news/1878/

Comment 7 Doran Moppert 2018-08-09 14:23:48 UTC
Created mingw-postgresql tracking bugs for this issue:

Affects: epel-7 [bug 1614397]
Affects: fedora-all [bug 1614399]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1614402]

Comment 10 Borja Tarraso 2018-08-10 12:33:06 UTC
Tower is affected as is using a vulnerable PostgreSQL version. Tower will embedded the fixed version in their next releases (3.1.8 and 3.2.6)

Comment 13 Cedric Buissart 2018-08-17 15:13:38 UTC
Statement:

Red Hat Virtualization includes vulnerable versions of postgresql. However this flaw is not known to be exploitable under any supported configuration of Red Hat Virtualization. A future update may address this issue.

This issue affects the versions of the postsgresql package as shipped with Red Hat Satellite 5.8. However, this flaw is not known to be exploitable under any supported scenario in Satellite 5.8. A future update may address this issue.

Comment 14 errata-xmlrpc 2018-08-20 10:50:55 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2511 https://access.redhat.com/errata/RHSA-2018:2511

Comment 15 errata-xmlrpc 2018-08-27 08:21:20 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2565 https://access.redhat.com/errata/RHSA-2018:2565

Comment 16 errata-xmlrpc 2018-08-27 08:35:39 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 6
  Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS

Via RHSA-2018:2566 https://access.redhat.com/errata/RHSA-2018:2566

Comment 18 errata-xmlrpc 2018-12-13 15:15:23 UTC
This issue has been addressed in the following products:

  CloudForms Management Engine 5.9

Via RHSA-2018:3816 https://access.redhat.com/errata/RHSA-2018:3816


Note You need to log in before you can comment on or make changes to this bug.