IMPORTANT SECURITY UPDATE NOW AVAILABLE
Download VMware vFabric Postgres Security Update
The PostgreSQL Project has released an important security update for all supported versions including v9.2.4, v9.1.9, v9.0.13, and v8.4.17. Likewise, VMware has also released updated versions of the vFabric Postgres distribution.
This release includes a fix for a high-exposure security vulnerability (CVE-2013-1899) that is considered so important, the PostgreSQL project pre-announced this release last week and closed development to protect the vulnerability from being exploited before the threat had an update readily available to protect users against it.
All users are strongly urged to apply the update as soon as it is available.
As always, update releases only require installation of packages and a database system restart. You do not need to dump/restore or use pg_upgrade for this update release.
Are there any known exploits "in the wild" for this vulnerability?
There are no known exploits at the time of release.
Who is particularly vulnerable because of this issue?
Any system that allows unrestricted access to the PostgreSQL network port, such as users running PostgreSQL on a public cloud, is especially vulnerable. Users whose servers are only accessible on protected internal networks, or who have effective firewalling or other network access restrictions, are less vulnerable.
This is a good general rule for database security: do not allow port access to the database server from untrusted networks unless it is absolutely necessary. This is as true, or more true, of other database systems as it is of PostgreSQL.
What is the nature of the vulnerability?
The vulnerability allows users to use a command-line switch for a PostgreSQL connection intended for single-user recovery mode while PostgreSQL is running in normal, multiuser mode. This can be used to harm the server.
What potential exploits are enabled by this vulnerability?
- Persistent Denial of Service: an unauthenticated attacker may use this vulnerability to cause PostgreSQL error messages to be appended to targeted files in the PostgreSQL data directory on the server. Files corrupted in this way may cause the database server to crash, and to refuse to restart. The database server can be fixed either by editing the files and removing the garbage text, or restoring from backup.
- Configuration Setting Privilege Escalation: in the event that an attacker has a legitimate login on the database server, and the server is configured such that this user name and the database name are identical (e.g. user web, database web), then this vulnerability may be used to temporarily set one configuration variable with the privileges of the superuser.
- Arbitrary Code Execution: if the attacker meets all of the qualifications under 2 above, and has the ability to save files to the filesystem as well (even to the tmp directory), then they can use the vulnerability to load and execute arbitrary C code. SELinux will prevent this specific type of exploit.
Which major versions of PostgreSQL are affected?
Versions 9.0, 9.1 and 9.2.
Users of version 8.4 are not affected. Users of version 8.3 and earlier are not affected by this issue, but are vulnerable to other unpatched security vulnerabilities, since those versions are EOL.
How can users protect themselves?
- Download the update release and update all of your servers as soon as possible.
- Ensure that PostgreSQL is not open to connections from untrusted networks.
- Audit your database users to be certain that all logins require proper credentials, and that the only logins which exist are legitimate and in current use.
Use of advanced security frameworks, such as SELinux with PostgreSQL's SEPostgres extension, also lessen or eliminate the exposure and potential damage from PostgreSQL security vulnerabilities.
See the complete FAQ on this release for more information on how the vulnerability was discovered, reported and who had access to the information and fix prior to the release being made generally available.