TLP: WHITE
MS-ISAC CYBERSECURITY ADVISORY
MS-ISAC ADVISORY NUMBER:
2018-128
DATE(S) ISSUED:
11/14/2018
SUBJECT:
Multiple Vulnerabilities in PostgreSQL Could Allow for Arbitrary Code Execution
OVERVIEW:
Multiple SQL injection vulnerabilities have been discovered in PostgreSQL that could allow for arbitrary code execution. PostgreSQL is an object-relational database management system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary SQL statements, which could allow them to compromise the application, access or modify data, or exploit other vulnerabilities in the database.
THREAT INTELLIGENCE:
There are currently no reports of this vulnerability being actively exploited in the wild.
SYSTEM AFFECTED:
· PostgreSQL versions prior to 11.1 and 10.6
RISK:
Government:
Businesses:
Home users: Low
TECHNICAL SUMMARY:
Multiple SQL injection vulnerabilities have been discovered in PostgreSQL that could allow for arbitrary code execution. The vulnerabilities are the result of the application’s failure to sufficiently sanitize user-supplied input before using it in an SQL query. These vulnerabilities allow attackers with the CREATE permission (or Trigger permission in some tables) to exploit input sanitation vulnerabilities in the pg_upgrade and pg_dump functions. The CREATE permission is automatically given to new users on the public schema, and the public schema is the default schema used on these databases. Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary SQL statements, which could them to compromise the application, access or modify data, or exploit other vulnerabilities in the database.
RECOMMENDATIONS:
We recommend the following actions be taken:
REFERENCES:
PostgreSQL:
https://www.postgresql.org/message-id/15440-02d14...@postgresql.org
Redhat:
https://bugzilla.redhat.com/show_bug.cgi?id=1645937
CVE:
https://access.redhat.com/security/cve/cve-2018-16850
24×7 Security Operations Center
Multi-State Information Sharing and Analysis Center (MS-ISAC)
Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061
S...@cisecurity.org - 1-866-787-4722
TLP: WHITE
Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
Bob
<image001.png> <image002.jpg>
TLP: WHITE
Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.
This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.
. . . . .
--
You received this message because you are subscribed to the Google Groups "DHIS2 system administrators" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dhis2-system-admini...@googlegroups.com.
To post to this group, send email to dhis2-system-...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/dhis2-system-administrators/CACd%3Df9c_tonzw6ssLKerSQL6UQOjYJhs0vKvsXC%3Dn4R_L-7Beg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
To view this discussion on the web, visit https://groups.google.com/d/msgid/dhis2-system-administrators/509702A4-8538-4F45-B166-349EF4A6CD08%40tohouri.com.
For more options, visit https://groups.google.com/d/optout.
To view this discussion on the web, visit https://groups.google.com/d/msgid/dhis2-system-administrators/CABVJ1DauucYxpxScYbG5OyyfF19rbh2fxc%3D6%3DU8cLLw%3Dv19QGQ%40mail.gmail.com.