Bug 2113825 (CVE-2022-2625) - CVE-2022-2625 postgresql: Extension scripts replace objects not belonging to the extension.
Summary: CVE-2022-2625 postgresql: Extension scripts replace objects not belonging to ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-2625
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2114730 2114731 2114732 2114733 2114734 2119248 2119249 2119250 2119251 2119252 2119253 2119254 2131176 2131177 2143167 2158190 2158191 2158194 2173597 2173598
Blocks: 2113826
TreeView+ depends on / blocked
 
Reported: 2022-08-02 05:53 UTC by Sandipan Roy
Modified: 2023-12-07 08:20 UTC (History)
29 users (show)

Fixed In Version: postgresql 14.5, postgresql 13.8, postgresql 12.12, postgresql 11.17, postgresql 10.22
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.
Clone Of:
Environment:
Last Closed: 2022-12-02 01:33:19 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:7128 0 None None None 2022-10-25 09:29:32 UTC
Red Hat Product Errata RHSA-2023:0113 0 None None None 2023-01-12 09:22:46 UTC
Red Hat Product Errata RHSA-2023:0160 0 None None None 2023-01-12 14:47:33 UTC
Red Hat Product Errata RHSA-2023:1576 0 None None None 2023-04-04 09:46:59 UTC
Red Hat Product Errata RHSA-2023:1693 0 None None None 2023-04-11 14:24:16 UTC
Red Hat Product Errata RHSA-2023:7545 0 None None None 2023-11-28 15:08:20 UTC
Red Hat Product Errata RHSA-2023:7580 0 None None None 2023-11-29 14:10:10 UTC
Red Hat Product Errata RHSA-2023:7667 0 None None None 2023-12-06 09:47:15 UTC
Red Hat Product Errata RHSA-2023:7694 0 None None None 2023-12-07 08:20:28 UTC
Red Hat Product Errata RHSA-2023:7695 0 None None None 2023-12-07 08:20:48 UTC

Description Sandipan Roy 2022-08-02 05:53:49 UTC
Extension scripts replace objects not belonging to the extension.

Some extensions use CREATE OR REPLACE or CREATE IF NOT EXISTS commands.  Some
don't adhere to the documented rule to target only objects known to be
extension members already.  An attack requires permission to create
non-temporary objects in at least one schema, ability to lure or wait for an
administrator to create or update an affected extension in that schema, and
ability to lure or wait for a victim to use the object targeted in CREATE OR
REPLACE or CREATE IF NOT EXISTS.  Given all three prerequisites, the attacker
can run arbitrary code as the victim role, which may be a superuser.
Known-affected extensions include both PostgreSQL-bundled and non-bundled
extensions.  PostgreSQL is blocking this attack in the core server, so there's
no need to modify individual extensions.

Comment 4 Sandipan Roy 2022-08-18 04:52:07 UTC
Created mingw-postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2119248]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2119249]


Created postgresql:10/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2119250]


Created postgresql:11/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2119251]


Created postgresql:12/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2119252]


Created postgresql:13/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2119253]


Created postgresql:14/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 2119254]

Comment 14 errata-xmlrpc 2022-10-25 09:29:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7128 https://access.redhat.com/errata/RHSA-2022:7128

Comment 15 Product Security DevOps Team 2022-12-02 01:33:16 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-2625

Comment 18 errata-xmlrpc 2023-01-12 09:22:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:0113 https://access.redhat.com/errata/RHSA-2023:0113

Comment 19 errata-xmlrpc 2023-01-12 14:47:30 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:0160 https://access.redhat.com/errata/RHSA-2023:0160

Comment 20 errata-xmlrpc 2023-04-04 09:46:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:1576 https://access.redhat.com/errata/RHSA-2023:1576

Comment 21 errata-xmlrpc 2023-04-11 14:24:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:1693 https://access.redhat.com/errata/RHSA-2023:1693

Comment 25 errata-xmlrpc 2023-11-28 15:08:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7545 https://access.redhat.com/errata/RHSA-2023:7545

Comment 26 errata-xmlrpc 2023-11-29 14:10:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7580 https://access.redhat.com/errata/RHSA-2023:7580

Comment 29 errata-xmlrpc 2023-12-06 09:47:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:7667 https://access.redhat.com/errata/RHSA-2023:7667

Comment 30 errata-xmlrpc 2023-12-07 08:20:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:7694 https://access.redhat.com/errata/RHSA-2023:7694

Comment 31 errata-xmlrpc 2023-12-07 08:20:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:7695 https://access.redhat.com/errata/RHSA-2023:7695


Note You need to log in before you can comment on or make changes to this bug.