Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Security

Leaky PostgreSQL passwords plugged

DBAs: strap on your patching boots. Every DB in your clusters needs work

Richard Chirgwin Sun 13 Aug 2017  //  23:58 UTC

PostgreSQL has released three security patches for versions 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22.

In CVE-2017-7547, a remote attacker can retrieve others' passwords because of a user mapping bug.

The authorisation oopsie derives from the database's handling of pg_user_mappings, allowing an authenticated remote attacker retrieve passwords from user mappings defined by the server owner – all the way up to passwords set by the server admin.

Settle in with lots of coffee, sysadmins: after fetching the patch, there's a set of fix commands that have to be run on every database in a cluster.

In CVE-2017-7546, the server accepts empty passwords, as explained by Adam Mariš here:

“Several authentication methods, including the widely-used 'md5' method, permit empty passwords. On the client side, libpq will not send an empty password. This may have given a false impression that an empty password was equivalent to disabling the account with respect to authentication methods requiring a password. On the contrary, an attacker could easily authenticate as the user.”

In CVE-2017-7548, there's a fix to the database's lo_put() function, which had a missing permission check that allowed “any user to change the data in a large object”.

The PostgreSQL note about the bug outlines 50 other fixes for bugs reported in the last three months, and reminds users that Version 9.2 will move to the end-of-life list in September. ®
Send us news
3 Comments

Got an unpatched LG 'smart' television? It could be watching you back

Four fatal flaws allow TV takeover

JetBrains keeps mum on 26 'security problems' fixed after Rapid7 spat

Vendor takes hardline approach to patch disclosure to new levels

Easy-to-use make-me-root exploit lands for recent Linux kernels. Get patching

CVE-2024-1086 turns the page tables on system admins

Exploiting the latest max-severity ConnectWise bug is 'embarrassingly easy'

Urgent patching advised to protect attacks against setup wizards

Ivanti releases patches for VPN zero-days, discloses two more high-severity vulns

Many versions still without fixes while sophisticated attackers bypass mitigations

Zoom stomps critical privilege escalation bug plus 6 other flaws

All desktop and mobile apps vulnerable to at least one of the vulnerabilities

Double trouble for Fortinet as it issues critical FortiSIEM vulns

Please stand by 73 hours for vendor response...*

Reg story prompts fresh security bulletin, review of Juniper Networks' CVE process

Vendor gets tangled in its own web of undisclosed vulnerabilities

Ivanti and Juniper Networks accused of bending the rules with CVE assignments

Critics claim now-fixed vulnerabilities weren't disclosed, flag up grouping of multiple flaws under one CVE

Patch now: Critical VMware, Atlassian flaws found

You didn't have anything else to do this Tuesday, right?

Using GoAnywhere MFT for file transfers? Patch now – an exploit's out for a critical bug

Ancient path traversal exploit offers remote attackers admin access

More than 178,000 SonicWall firewalls are exposed to old denial of service bugs

Majority of public-facing devices still unpatched against critical vulns from as far back as 2022