Multiple Vulnerabilities in PostgreSQL Discovered

Multiple Vulnerabilities in PostgreSQL Discovered

A cybersecurity advisory was issued yesterday, Wednesday, Nov. 14, 2018, regarding multiple vulnerabilities in PostgreSQL. Successful exploitation of these vulnerabilities could allow arbitrary code execution.

What It Is:
PostgreSQL is an object-relational database management system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary SQL statements, which could allow them to compromise the application, access or modify data, or exploit other vulnerabilities in the database.

See the bug alert by PostgreSQL. Read the alert by Red Hat.

Threat Intelligence:
There are currently no reports of these vulnerabilities being exploited in the wild.

What It Means:
If your business or organization employs PostgreSQL, you will need to apply the appropriate update after appropriate testing to prevent a possible security breach.

Systems Affected Include:
• PostgreSQL versions prior to 11.1 and 10.6

Risk:
Government:
• Large and medium government entities: High
• Small government entities: High
Businesses:
• Large and medium business entities: High
• Small business entities: High
Home users: Low

Technical Summary:
Multiple SQL injection vulnerabilities have been discovered in PostgreSQL that could allow for arbitrary code execution. The vulnerabilities are the result of the application’s failure to sufficiently sanitize user-supplied input before using it in an SQL query. These vulnerabilities allow attackers with the CREATE permission (or Trigger permission in some tables) to exploit input sanitation vulnerabilities in the pg_upgrade and pg_dump functions. The CREATE permission is automatically given to new users on the public schema, and the public schema is the default schema used on these databases. Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary SQL statements, which could them to compromise the application, access or modify data, or exploit other vulnerabilities in the database.

What To Do:
We recommend the following actions be taken:

• Install the update provided by PostgreSQL immediately after appropriate testing.
• Verify no unauthorized modifications have occurred on system before applying patch.
• Monitor intrusion detection systems for any signs of anomalous activity.
• Unless required, limit external network access to affected products.

Negative Consequences of Lost or Stolen Data Include:
The loss or theft of proprietary data can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

• Temporary or permanent loss of sensitive or proprietary information.
• Disruption to regular operations.
• Financial losses incurred to restore systems and files.
• Potential harm to an organization’s reputation.

Should your agency or business need assistance with the detection of vulnerabilities in any of the above products or updates to include patches, Dox can help. Please contact Dox if there is anything we can do to assist in securing your agency, business, or organization.

Thank you for your time and stay safe online.