Multiple Vulnerabilities in PostgreSQL Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2018-117
Date(s) Issued: 
Wednesday, November 14, 2018
Subject: 
Multiple Vulnerabilities in PostgreSQL Could Allow for Arbitrary Code Execution
Overview: 

Multiple SQL injection vulnerabilities have been discovered in PostgreSQL that could allow for arbitrary code execution. PostgreSQL is an object-relational database management system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary SQL statements, which could allow them to compromise the application, access or modify data, or exploit other vulnerabilities in the database.

 

THREAT INTELLIGENCE:

There are currently no reports of this vulnerability being actively exploited in the wild.

Systems Affected: 
  • PostgreSQL versions prior to 11.1 and 10.6

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple SQL injection vulnerabilities have been discovered in PostgreSQL that could allow for arbitrary code execution. The vulnerabilities are the result of the application's failure to sufficiently sanitize user-supplied input before using it in an SQL query. These vulnerabilities allow attackers with the CREATE permission (or Trigger permission in some tables) to exploit input sanitation vulnerabilities in the pg_upgrade and pg_dump functions. The CREATE permission is automatically given to new users on the public schema, and the public schema is the default schema used on these databases. Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary SQL statements, which could them to compromise the application, access or modify data, or exploit other vulnerabilities in the database.

Actions: 
  • After appropriate testing, immediately install the update provided by PostgreSQL

  • Verify no unauthorized modifications have occurred on system before applying patch.

  • Monitor intrusion detection systems for any signs of anomalous activity.

  • Unless required, limit external network access to affected products.