INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2566 advisory.

  - postgresql: Memory disclosure in JSON functions (CVE-2017-15098)

  - postgresql: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges (CVE-2017-15099)

  - postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask (CVE-2018-1053)

  - postgresql: Uncontrolled search path element in pg_dump and other client applications (CVE-2018-1058)

  - postgresql: Too-permissive access control list on function pg_logfile_rotate() (CVE-2018-1115)

  - postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915)

  - postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements     (CVE-2018-10925)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2511 advisory.

  - postgresql: Memory disclosure in JSON functions (CVE-2017-15098)

  - postgresql: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges (CVE-2017-15099)

  - postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask (CVE-2018-1053)

  - postgresql: Uncontrolled search path element in pg_dump and other client applications (CVE-2018-1058)

  - postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915)

  - postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements     (CVE-2018-10925)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for postgresql95 fixes the following issues :

Upate to PostgreSQL 9.5.11 :

Security issues fixed :

  - https://www.postgresql.org/docs/9.5/static/release-9-5-11.html 

  - CVE-2018-1053, boo#1077983: Ensure that all temporary     files made by pg_upgrade are non-world-readable. 

  - boo#1079757: Rename pg_rewind's copy_file_range function     to avoid conflict with new Linux system call of that     name.

In version 9.5.10 :

  - https://www.postgresql.org/docs/9.5/static/release-9-5-10.html

  - CVE-2017-15098, boo#1067844: Memory disclosure in JSON     functions.

  - CVE-2017-15099, boo#1067841: INSERT ... ON CONFLICT DO     UPDATE fails to enforce SELECT privileges.

In version 9.5.9 :

  - https://www.postgresql.org/docs/9.5/static/release-9-5-9.html

  - Show foreign tables in     information_schema.table_privileges view.

  - Clean up handling of a fatal exit (e.g., due to receipt     of SIGTERM) that occurs while trying to execute a     ROLLBACK of a failed transaction.

  - Remove assertion that could trigger during a fatal exit.

  - Correctly identify columns that are of a range type or     domain type over a composite type or domain type being     searched for.

  - Fix crash in pg_restore when using parallel mode and     using a list file to select a subset of items to     restore.

  - Change ecpg's parser to allow RETURNING clauses without     attached C variables.

In version 9.5.8

  - https://www.postgresql.org/docs/9.5/static/release-9-5-8.html

  - CVE-2017-7547, boo#1051685: Further restrict visibility     of pg_user_mappings.umoptions, to protect passwords     stored as user mapping options.

  - CVE-2017-7546, boo#1051684: Disallow empty passwords in     all password-based authentication methods.

  - CVE-2017-7548, boo#1053259: lo_put() function ignores     ACLs.

This update for postgresql96 fixes the following issues: Security issues fixed :

  - CVE-2017-15098: Fix crash due to rowtype mismatch in     json{b}_populate_recordset() (bsc#1067844).

  - CVE-2017-15099: Ensure that INSERT ... ON CONFLICT DO     UPDATE checks table permissions and RLS policies in all     cases (bsc#1067841). Bug fixes :

  - Update to version 9.6.6 :

  - https://www.postgresql.org/docs/9.6/static/release-9-6-6.html

  - https://www.postgresql.org/docs/9.6/static/release-9-6-5.html

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for postgresql96 fixes the following issues :

Security issues fixed :

  - CVE-2017-15098: Fix crash due to rowtype mismatch in     json(b)_populate_recordset() (bsc#1067844).

  - CVE-2017-15099: Ensure that INSERT ... ON CONFLICT DO     UPDATE checks table permissions and RLS policies in all     cases (bsc#1067841).

Bug fixes :

  - Update to version 9.6.6 :

  - https://www.postgresql.org/docs/9.6/static/release-9-6-6.html

  - https://www.postgresql.org/docs/9.6/static/release-9-6-5.html

This update was imported from the SUSE:SLE-12:Update update project.

Privilege escalation flaws were found in the initialization scripts of PostgreSQL. A remote attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.(CVE-2017-12172)

INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.(CVE-2017-15099)

Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL can crash the server or disclose a few bytes of server memory.(CVE-2017-15098)

The version of PostgreSQL installed on the remote host is 9.2.x prior to 9.2.24, 9.3.x prior to 9.3.20, 9.4.x prior to 9.4.15, 9.5.x prior to 9.5.10, 9.6.x prior to 9.6.6, or 10.x prior to 10.1. It is, therefore, affected by multiple vulnerabilities including a denial of service attack.

David Rowley discovered that PostgreSQL incorrectly handled memory when processing certain JSON functions. A remote attacker could possibly use this issue to obtain sensitive information.
(CVE-2017-15098)

Dean Rasheed discovered that PostgreSQL incorrectly enforced SELECT privileges when processing INSERT ... ON CONFLICT DO UPDATE commands.
A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 16.04 LTS, Ubuntu 17.04 and Ubuntu 17.10.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The PostgreSQL project reports :

- CVE-2017-15098: Memory disclosure in JSON functions

- CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges

Several vulnerabilities have been found in the PostgreSQL database system :

  - CVE-2017-15098     Denial of service and potential memory disclosure in the     json_populate_recordset() and jsonb_populate_recordset()     functions

  - CVE-2017-15099     Insufficient permissions checks in 'INSERT ... ON     CONFLICT DO UPDATE' statements.

ID	Name	Product	Family	Severity
194117	RHEL 6 / 7 : rh-postgresql96-postgresql (RHSA-2018:2566)	Nessus	Red Hat Local Security Checks	critical
194013	RHEL 6 / 7 : rh-postgresql95-postgresql (RHSA-2018:2511)	Nessus	Red Hat Local Security Checks	high
106965	openSUSE Security Update : postgresql95 (openSUSE-2018-204)	Nessus	SuSE Local Security Checks	critical
105458	SUSE SLED12 / SLES12 Security Update : postgresql96 (SUSE-SU-2017:3391-1)	Nessus	SuSE Local Security Checks	high
105454	openSUSE Security Update : postgresql96 (openSUSE-2017-1411)	Nessus	SuSE Local Security Checks	high
105054	Amazon Linux AMI : postgresql95 / postgresql96 (ALAS-2017-930)	Nessus	Amazon Linux Local Security Checks	high
104574	PostgreSQL 9.2.x < 9.2.24 / 9.3.x < 9.3.20 / 9.4.x < 9.4.15 / 9.5.x < 9.5.10 / 9.6.x < 9.6.6 / 10.x < 10.1 Multiple Vulnerabilities	Nessus	Databases	medium
104569	Ubuntu 14.04 LTS / 16.04 LTS : PostgreSQL vulnerabilities (USN-3479-1)	Nessus	Ubuntu Local Security Checks	high
104489	FreeBSD : PostgreSQL vulnerabilities (1f02af5d-c566-11e7-a12d-6cc21735f730)	Nessus	FreeBSD Local Security Checks	high
104484	Debian DSA-4028-1 : postgresql-9.6 - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2017-15099

medium

Tenable Plugins

critical

high

critical

high

high

high

medium

high

high

high