Fwd: MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in PostgreSQL Could Allow for Arbitrary Code Execution - PATCH: NOW - TLP: WHITE

9 views
Skip to first unread message

Bob Jolliffe

unread,
Nov 14, 2018, 5:58:06 PM11/14/18
to dhis2-system-...@googlegroups.com, secu...@dhis2.org
Hi

I haven't had a chance to check this but it looks potentially serious.  If anybody has an opportunity to look into it and check whether the linux distros have made a security release already please let the rest of us know.

Cheers
Bob

---------- Forwarded message ---------
From: MS-ISAC Advisory <MS-ISAC....@msisac.org>
Date: Wed, 14 Nov 2018 at 21:03
Subject: MS-ISAC CYBERSECURITY ADVISORY - Multiple Vulnerabilities in PostgreSQL Could Allow for Arbitrary Code Execution - PATCH: NOW - TLP: WHITE
To: Thomas Duffy <Thomas...@cisecurity.org>


TLP: WHITE

MS-ISAC CYBERSECURITY ADVISORY

 

MS-ISAC ADVISORY NUMBER:

2018-128

 

DATE(S) ISSUED:

11/14/2018

 

SUBJECT:

Multiple Vulnerabilities in PostgreSQL Could Allow for Arbitrary Code Execution

 

OVERVIEW:

Multiple SQL injection vulnerabilities have been discovered in PostgreSQL that could allow for arbitrary code execution. PostgreSQL is an object-relational database management system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary SQL statements, which could allow them to compromise the application, access or modify data, or exploit other vulnerabilities in the database.

 

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being actively exploited in the wild.

 

SYSTEM AFFECTED:

·         PostgreSQL versions prior to 11.1 and 10.6

 

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

 

TECHNICAL SUMMARY:

Multiple SQL injection vulnerabilities have been discovered in PostgreSQL that could allow for arbitrary code execution. The vulnerabilities are the result of the application’s failure to sufficiently sanitize user-supplied input before using it in an SQL query. These vulnerabilities allow attackers with the CREATE permission (or Trigger permission in some tables) to exploit input sanitation vulnerabilities in the pg_upgrade and pg_dump functions. The CREATE permission is automatically given to new users on the public schema, and the public schema is the default schema used on these databases. Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary SQL statements, which could them to compromise the application, access or modify data, or exploit other vulnerabilities in the database.

 

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Install the update provided by PostgreSQL immediately after appropriate testing.
  • Verify no unauthorized modifications have occurred on system before applying patch.
  • Monitor intrusion detection systems for any signs of anomalous activity.
  • Unless required, limit external network access to affected products.

 

REFERENCES:

PostgreSQL:

https://www.postgresql.org/message-id/15440-02d14...@postgresql.org

 

Redhat:

https://bugzilla.redhat.com/show_bug.cgi?id=1645937

 

CVE:

https://access.redhat.com/security/cve/cve-2018-16850

 

24×7 Security Operations Center

Multi-State Information Sharing and Analysis Center (MS-ISAC)

Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)

31 Tech Valley Drive

East Greenbush, NY 12061

S...@cisecurity.org - 1-866-787-4722

 

cid:image001.png@01D476B6.4D5182E0     cid:image002.jpg@01D476B6.4D5182E0

       cid:image003.png@01D476B6.4D5182E0    cid:image004.png@01D476B6.4D5182E0   cid:image005.png@01D476B6.4D5182E0    cid:image006.png@01D476B6.4D5182E0

  

TLP: WHITE

Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.

http://www.us-cert.gov/tlp/

 

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .

Bob Jolliffe

unread,
Nov 14, 2018, 6:07:10 PM11/14/18
to dhis2-system-...@googlegroups.com, secu...@dhis2.org
OK now I have read the CVE it looks like it probably would not impact most DHIS2 implementations.  Orgs with multiple users and instances might need to verify a bit carefully, especially if they are doing anything custom with TRIGGERs.

Either way, it looks like upgrade to 10.6 or 11.1 is not a bad idea.

Cheers
Bob

rom...@tohouri.com

unread,
Nov 14, 2018, 6:55:19 PM11/14/18
to Bob Jolliffe, dhis2-system-...@googlegroups.com, secu...@dhis2.org
Thanks Bob for sharing this is very important.

Romain

Bob

<image001.png>     <image002.jpg>

       <image003.png>    <image004.png>   <image005.png>    <image006.png>

  

TLP: WHITE

Disclosure is not limited. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.

http://www.us-cert.gov/tlp/

 

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments. 

. . . . .

-- 
You received this message because you are subscribed to the Google Groups "DHIS2 system administrators" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dhis2-system-admini...@googlegroups.com.
To post to this group, send email to dhis2-system-...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/dhis2-system-administrators/CACd%3Df9c_tonzw6ssLKerSQL6UQOjYJhs0vKvsXC%3Dn4R_L-7Beg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Joseph Hariyaram

unread,
Nov 14, 2018, 10:26:57 PM11/14/18
to rom...@tohouri.com, bobjo...@gmail.com, dhis2-system-...@googlegroups.com, secu...@dhis2.org
Thank you very much Bob..


For more options, visit https://groups.google.com/d/optout.


--
J. Joseph Hariyaram (BIT UCSC, MSc in Computer Science)
Assistant Director - ICT
Family Health Bureau, Ministry of Health,
231, De Saram Place,
Colombo 10.


Abdoulwahabou Souley

unread,
Nov 15, 2018, 6:38:14 AM11/15/18
to Joseph Hariyaram, rom...@tohouri.com, bobjo...@gmail.com, dhis2-system-...@googlegroups.com, secu...@dhis2.org
Thank Bob for sharing !

Souley Abdoulwahabou
Ingénieur Administration Système
Ingénieur Réseaux Télécom
Développeur d'Application
Tel: 227 96-49-81-52 / 90-83-59-63
Reply all
Reply to author
Forward
0 new messages