Amazon Linux AMI : postgresql96 (ALAS-2017-908)
High Nessus Plugin ID 103755
SynopsisThe remote Amazon Linux AMI host is missing a security update.
DescriptionThe pg_user_mappings view discloses passwords to users lacking server privileges :
An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547)
Empty password accepted in some authentication methods :
It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546)
SolutionRun 'yum update postgresql96' to update your system.