1.5 Ensure the Latest Security Patches are Applied

Information

PostgreSQL updates are released to resolve bugs, and mitigate vulnerabilities quarterly (or sooner for drastic CVEs). It is recommended that PostgreSQL installations are kept up to date with the latest security updates. The PostgreSQL development group

guarantees

that point releases (or "minor releases")

will not

change the behavior of an existing install and as such are "safe" to install without fear of changes to your application's behavior.

Maintaining parity with PostgreSQL patches will help reduce the risk associated with known vulnerabilities present in the PostgreSQL server.

Without the latest security patches, PostgreSQL might have known vulnerabilities which could be used by an attacker to gain access.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Install the latest patches available for your version:

RHEL:

sudo dnf update $(rpm -qa | grep '^postgresql')

Debian:

sudo apt-get install --only-upgrade $(dpkg-query -W -f '${db:Status-Status} ${Package}\\n' 'postgresql*' | awk '$1 != "not-installed" {print $NF}')

Impact:

To update the PostgreSQL server a restart is required which will cause a momentary service outage.

See Also

https://workbench.cisecurity.org/benchmarks/19478

Item Details

Category: SYSTEM AND SERVICES ACQUISITION

References: 800-53|SA-22

Plugin: PostgreSQLDB

Control ID: ea84c757c61b01b45d143ed2c4e5cc542725c2de0c2ac5858c6a20edd2de1a1d