openSUSE-SU-2020:1228

openSUSE-SU-2020:1244

openSUSE-SU-2020:1243

openSUSE-SU-2020:1312

openSUSE-SU-2020:1326

https://bugzilla.redhat.com/show_bug.cgi?id=1865744

GLSA-202008-13

https://security.netapp.com/advisory/ntap-20200918-0002/

USN-4472-1

An update of the postgresql package has been released.

According to the versions of the postgresql packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - It was found that PostgreSQL versions before 12.4,     before 11.9 and before 10.14 did not properly sanitize     the search_path during logical replication. An     authenticated attacker could use this flaw in an attack     similar to CVE-2018-1058, in order to execute arbitrary     SQL command in the context of the user used for     replication.(CVE-2020-14349)

  - It was found that some PostgreSQL extensions did not     use search_path safely in their installation script. An     attacker with sufficient privileges could use this flaw     to trick an administrator into executing a specially     crafted script, during the installation or update of     such extension.(CVE-2020-14350)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-3669 advisory.

  - A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8,     9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for     tables. Certain statistics, such as histograms and lists of most common values, contain values taken from     the column. PostgreSQL does not evaluate row security policies before consulting those statistics during     query planning; an attacker can exploit this to read the most common values of certain columns. Affected     columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-     level security prunes the set of rows visible to the attacker. (CVE-2019-10130)

  - PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer     overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to     a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system     account. (CVE-2019-10164)

  - A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before     9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a     suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute     arbitrary SQL as the owner of the function. (CVE-2019-10208)

  - A flaw was found in PostgreSQL's ALTER ... DEPENDS ON EXTENSION, where sub-commands did not perform     authorization checks. An authenticated attacker could use this flaw in certain configurations to perform     drop objects such as function, triggers, et al., leading to database corruption. This issue affects     PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17. (CVE-2020-1720)

  - It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize     the search_path during logical replication. An authenticated attacker could use this flaw in an attack     similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for     replication. (CVE-2020-14349)

  - It was found that some PostgreSQL extensions did not use search_path safely in their installation script.
    An attacker with sufficient privileges could use this flaw to trick an administrator into executing a     specially crafted script, during the installation or update of such extension. This affects PostgreSQL     versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23. (CVE-2020-14350)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3669 advisory.

  - postgresql: Selectivity estimators bypass row security policies (CVE-2019-10130)

  - postgresql: Stack-based buffer overflow via setting a password (CVE-2019-10164)

  - postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution (CVE-2019-10208)

  - postgresql: Uncontrolled search path element in logical replication (CVE-2020-14349)

  - postgresql: Uncontrolled search path element in CREATE EXTENSION (CVE-2020-14350)

  - postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks (CVE-2020-1720)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for postgresql10 fixes the following issues :

  - update to 10.14 :

  - CVE-2020-14349, bsc#1175193: Set a secure search_path in     logical replication walsenders and apply workers

  - CVE-2020-14350, bsc#1175194: Make contrib modules'     installation scripts more secure.

  - https://www.postgresql.org/docs/10/release-10-14.html

This update was imported from the SUSE:SLE-15-SP1:Update update project.

This update for postgresql10 fixes the following issues :

update to 10.14 :

  - CVE-2020-14349, bsc#1175193: Set a secure search_path in     logical replication walsenders and apply workers

  - CVE-2020-14350, bsc#1175194: Make contrib modules'     installation scripts more secure.

  - https://www.postgresql.org/docs/10/release-10-14.html

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-202008-13 (PostgreSQL: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PostgreSQL. Please       review the CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

Noah Misch discovered that PostgreSQL incorrectly handled the search_path setting when used with logical replication. A remote attacker could possibly use this issue to execute arbitrary SQL code.
This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-14349) Andres Freund discovered that PostgreSQL incorrectly handled search path elements in CREATE EXTENSION. A remote attacker could possibly use this issue to execute arbitrary SQL code.
(CVE-2020-14350).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for postgresql12 fixes the following issues :

  - update to 12.4 :

  - CVE-2020-14349, bsc#1175193: Set a secure search_path in     logical replication walsenders and apply workers

  - CVE-2020-14350, bsc#1175194: Make contrib modules'     installation scripts more secure.

  - https://www.postgresql.org/docs/12/release-12-4.html

This update was imported from the SUSE:SLE-15-SP1:Update update project.

This update for postgresql, postgresql96, postgresql10, postgresql12 fixes the following issues :

Postgresql12 was updated to 12.3 (bsc#1171924).

- https://www.postgresql.org/about/news/2038/

- https://www.postgresql.org/docs/12/release-12-3.html

  - Let postgresqlXX conflict with postgresql-noarch <     12.0.1 to get a clean and complete cutover to the new     packaging schema.

Also changed in the postgresql wrapper package :

  - Bump version to 12.0.1, so that the binary packages also     have a cut-point to conflict with.

  - Conflict with versions of the binary packages prior to     the May 2020 update, because we changed the package     layout at that point and need a clean cutover.

  - Bump package version to 12, but leave default at 10 for     SLE-15 and SLE-15-SP1.

postgresql11 was updated to 11.9 :

  - CVE-2020-14349, bsc#1175193: Set a secure search_path in     logical replication walsenders and apply workers

  - CVE-2020-14350, bsc#1175194: Make contrib modules'     installation scripts more secure.

- https://www.postgresql.org/docs/11/release-11-9.html

  - Pack the /usr/lib/postgresql symlink only into the main     package.

postgresql11 was updated to 11.8 (bsc#1171924).

  - https://www.postgresql.org/about/news/2038/

  - https://www.postgresql.org/docs/11/release-11-8.html

  - Unify the spec file to work across all current     PostgreSQL versions to simplify future maintenance.

  - Move from the 'libs' build flavour to a 'mini' package     that will only be used inside the build service and not     get shipped, to avoid confusion with the debuginfo     packages (bsc#1148643).

postgresql10 was updated to 10.13 (bsc#1171924).

- https://www.postgresql.org/about/news/2038/

- https://www.postgresql.org/docs/10/release-10-13.html

  - Unify the spec file to work across all current     PostgreSQL versions to simplify future maintenance.

  - Move from the 'libs' build flavour to a 'mini' package     that will only be used inside the build service and not     get shipped, to avoid confusion with the debuginfo     packages (bsc#1148643).

postgresql96 was updated to 9.6.19 :

  - CVE-2020-14350, boo#1175194: Make contrib modules'     installation scripts more secure.

  - https://www.postgresql.org/docs/9.6/release-9-6-19.html

  - Pack the /usr/lib/postgresql symlink only into the main     package.

  - Let postgresqlXX conflict with postgresql-noarch <     12.0.1 to get a clean and complete cutover to the new     packaging schema.

  - update to 9.6.18 (boo#1171924).
    https://www.postgresql.org/about/news/2038/     https://www.postgresql.org/docs/9.6/release-9-6-18.html

  - Unify the spec file to work across all current     PostgreSQL versions to simplify future maintenance.

  - Move from the 'libs' build flavour to a 'mini' package     that will only be used inside the build service and not     get shipped, to avoid confusion with the debuginfo     packages (boo#1148643).

This update was imported from the SUSE:SLE-15-SP2:Update update project.

The version of PostgreSQL installed on the remote host is 9.5 prior to 9.5.23, 9.6 prior to 9.6.19, 10 prior to 10.14, 11 prior to 11.9, or 12 prior to 12.4. As such, it is potentially affected by multiple vulnerabilities :

  - Uncontrolled search path element in logical replication     (CVE-2020-14349)

  - Uncontrolled search path element in CREATE EXTENSION     (CVE-2020-14350)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for postgresql12 fixes the following issues :

update to 12.4 :

  - CVE-2020-14349, bsc#1175193: Set a secure search_path in     logical replication walsenders and apply workers

  - CVE-2020-14350, bsc#1175194: Make contrib modules'     installation scripts more secure.

  - https://www.postgresql.org/docs/12/release-12-4.html

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
141640	Photon OS 1.0: Postgresql PHSA-2020-1.0-0321	Nessus	PhotonOS Local Security Checks	medium
141004	EulerOS 2.0 SP8 : postgresql (EulerOS-SA-2020-2156)	Nessus	Huawei Local Security Checks	medium
140663	Photon OS 2.0: Postgresql PHSA-2020-2.0-0281	Nessus	PhotonOS Local Security Checks	medium
140486	Oracle Linux 8 : postgresql:10 (ELSA-2020-3669)	Nessus	Oracle Linux Local Security Checks	high
140412	Photon OS 3.0: Postgresql PHSA-2020-3.0-0137	Nessus	PhotonOS Local Security Checks	medium
140398	RHEL 8 : postgresql:10 (RHSA-2020:3669)	Nessus	Red Hat Local Security Checks	high
140366	openSUSE Security Update : postgresql10 (openSUSE-2020-1326)	Nessus	SuSE Local Security Checks	medium
140173	openSUSE Security Update : postgresql10 (openSUSE-2020-1312)	Nessus	SuSE Local Security Checks	medium
140025	SUSE SLED15 / SLES15 Security Update : postgresql10 (SUSE-SU-2020:2355-1)	Nessus	SuSE Local Security Checks	medium
139889	GLSA-202008-13 : PostgreSQL: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
139848	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 : PostgreSQL vulnerabilities (USN-4472-1)	Nessus	Ubuntu Local Security Checks	medium
139769	openSUSE Security Update : postgresql12 (openSUSE-2020-1244)	Nessus	SuSE Local Security Checks	medium
139768	openSUSE Security Update : postgresql12 (openSUSE-2020-1243)	Nessus	SuSE Local Security Checks	medium
139765	openSUSE Security Update : postgresql / postgresql96 / postgresql10 / etc (openSUSE-2020-1228)	Nessus	SuSE Local Security Checks	medium
139746	PostgreSQL 9.5.x < 9.5.23 / 9.6.x < 9.6.19 / 10.x < 10.14 / 11.x < 11.9 / 12.x < 12.4 Multiple Vulnerabilities	Nessus	Databases	medium
139691	SUSE SLED15 / SLES15 Security Update : postgresql12 (SUSE-SU-2020:2271-1)	Nessus	SuSE Local Security Checks	medium
139687	SUSE SLED15 / SLES15 Security Update : postgresql12 (SUSE-SU-2020:2265-1)	Nessus	SuSE Local Security Checks	medium
139686	SUSE SLES15 Security Update : postgresql10 (SUSE-SU-2020:2264-1)	Nessus	SuSE Local Security Checks	medium

CVE-2020-14349

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins