RHEL 8 : postgresql:13 (RHSA-2023:7580)

high Nessus Plugin ID 186435

Synopsis

The remote Red Hat host is missing one or more security updates for postgresql:13.

Description

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:7580 advisory.

- A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser. (CVE-2022-2625)

- In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes. (CVE-2022-41862)

- schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code. (CVE-2023-2454)

- Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. (CVE-2023-2455)

- IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser. (CVE-2023-39417)

- A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory. (CVE-2023-5868)

- A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory. (CVE-2023-5869)

- A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack. (CVE-2023-5870)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the RHEL postgresql:13 package based on the guidance in RHSA-2023:7580.

See Also

https://access.redhat.com/security/cve/CVE-2022-2625

https://access.redhat.com/security/cve/CVE-2022-41862

https://access.redhat.com/security/cve/CVE-2023-2454

https://access.redhat.com/security/cve/CVE-2023-2455

https://access.redhat.com/security/cve/CVE-2023-5868

https://access.redhat.com/security/cve/CVE-2023-5869

https://access.redhat.com/security/cve/CVE-2023-5870

https://access.redhat.com/security/cve/CVE-2023-39417

https://access.redhat.com/errata/RHSA-2023:7580

Plugin Details

Severity: High

ID: 186435

File Name: redhat-RHSA-2023-7580.nasl

Version: 1.5

Type: local

Agent: unix

Published: 11/29/2023

Updated: 2/16/2024

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-5869

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:redhat:rhel_aus:8.6, cpe:/o:redhat:rhel_e4s:8.6, cpe:/o:redhat:rhel_eus:8.6, cpe:/o:redhat:rhel_tus:8.6, p-cpe:/a:redhat:enterprise_linux:pg_repack, p-cpe:/a:redhat:enterprise_linux:pgaudit, p-cpe:/a:redhat:enterprise_linux:postgres-decoderbufs, p-cpe:/a:redhat:enterprise_linux:postgresql, p-cpe:/a:redhat:enterprise_linux:postgresql-contrib, p-cpe:/a:redhat:enterprise_linux:postgresql-docs, p-cpe:/a:redhat:enterprise_linux:postgresql-plperl, p-cpe:/a:redhat:enterprise_linux:postgresql-plpython3, p-cpe:/a:redhat:enterprise_linux:postgresql-pltcl, p-cpe:/a:redhat:enterprise_linux:postgresql-server, p-cpe:/a:redhat:enterprise_linux:postgresql-server-devel, p-cpe:/a:redhat:enterprise_linux:postgresql-static, p-cpe:/a:redhat:enterprise_linux:postgresql-test, p-cpe:/a:redhat:enterprise_linux:postgresql-test-rpm-macros, p-cpe:/a:redhat:enterprise_linux:postgresql-upgrade, p-cpe:/a:redhat:enterprise_linux:postgresql-upgrade-devel

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Ease: No known exploits are available

Patch Publication Date: 11/29/2023

Vulnerability Publication Date: 8/11/2022

Reference Information

CVE: CVE-2022-2625, CVE-2022-41862, CVE-2023-2454, CVE-2023-2455, CVE-2023-39417, CVE-2023-5868, CVE-2023-5869, CVE-2023-5870

CWE: 1321, 190, 20, 200, 400, 686, 89, 915

IAVB: 2022-B-0028-S, 2023-B-0009-S, 2023-B-0034-S, 2023-B-0060-S, 2023-B-0088-S

RHSA: 2023:7580