Leaky PostgreSQL passwords plugged

DBAs: strap on your patching boots. Every DB in your clusters needs work

By Richard Chirgwin


PostgreSQL has released three security patches for versions 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22.

In CVE-2017-7547, a remote attacker can retrieve others' passwords because of a user mapping bug.

The authorisation oopsie derives from the database's handling of pg_user_mappings, allowing an authenticated remote attacker retrieve passwords from user mappings defined by the server owner – all the way up to passwords set by the server admin.

Settle in with lots of coffee, sysadmins: after fetching the patch, there's a set of fix commands that have to be run on every database in a cluster.

In CVE-2017-7546, the server accepts empty passwords, as explained by Adam Mariš here:

“Several authentication methods, including the widely-used 'md5' method, permit empty passwords. On the client side, libpq will not send an empty password. This may have given a false impression that an empty password was equivalent to disabling the account with respect to authentication methods requiring a password. On the contrary, an attacker could easily authenticate as the user.”

In CVE-2017-7548, there's a fix to the database's lo_put() function, which had a missing permission check that allowed “any user to change the data in a large object”.

The PostgreSQL note about the bug outlines 50 other fixes for bugs reported in the last three months, and reminds users that Version 9.2 will move to the end-of-life list in September. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Microsoft patched more Malware Protection Engine bugs last week

Redmond's out-of-band advisory landed after the bugs were fixed

Git security vulnerability could lead to an attack of the (repo) clones

Best git patching y'all

SoftNAS no longer a soft touch for hackers (for now)... Remote-hijacking vulnerability patched

Your files are someone else's files, too, thanks to storage bug

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

Paranoid Android: Antivirus app-makers resolve MitM vulnerability

Attack loophole in Panda app sealed

Who needs custom malware? 'Govt-backed' Gallmaker spy crew uses off-the-shelf wares

Likely state hackers make do with 'living off the land' and going after tardy Office patchers

Russia's national vulnerability database is a bit like the Soviet Union – sparse and slow

By design, though, not... er, general rubbishness

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

FBI fingers North Korea for two malware strains

'Joanap' and 'Brambul' harvest info about your systems and send it home