Leaky PostgreSQL passwords plugged
DBAs: strap on your patching boots. Every DB in your clusters needs work
PostgreSQL has released three security patches for versions 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22.
In CVE-2017-7547, a remote attacker can retrieve others' passwords because of a user mapping bug.
The authorisation oopsie derives from the database's handling of
pg_user_mappings, allowing an authenticated remote attacker retrieve passwords from user mappings defined by the server owner – all the way up to passwords set by the server admin.
Settle in with lots of coffee, sysadmins: after fetching the patch, there's a set of fix commands that have to be run on every database in a cluster.
In CVE-2017-7546, the server accepts empty passwords, as explained by Adam Mariš here:
“Several authentication methods, including the widely-used 'md5' method, permit empty passwords. On the client side,
libpq will not send an empty password. This may have given a false impression that an empty password was equivalent to disabling the account with respect to authentication methods requiring a password. On the contrary, an attacker could easily authenticate as the user.”
In CVE-2017-7548, there's a fix to the database's
lo_put() function, which had a missing permission check that allowed “any user to change the data in a large object”.
The PostgreSQL note about the bug outlines 50 other fixes for bugs reported in the last three months, and reminds users that Version 9.2 will move to the end-of-life list in September. ®