Home > Blogs > VMware vFabric Blog

PostgreSQL Security Release Now Available


Download VMware vFabric Postgres Security Update
Download immediately

The PostgreSQL Project has released an important security update for all supported versions including v9.2.4, v9.1.9, v9.0.13, and v8.4.17. Likewise, VMware has also released updated versions of the vFabric Postgres distribution.

This release includes a fix for a high-exposure security vulnerability (CVE-2013-1899) that is considered so important, the PostgreSQL project pre-announced this release last week and closed development to protect the vulnerability from being exploited before the threat had an update readily available to protect users against it.

All users are strongly urged to apply the update as soon as it is available.

As always, update releases only require installation of packages and a database system restart. You do not need to dump/restore or use pg_upgrade for this update release.

Below is an excerpt of the nature of security vulnerability CVE-2013-1899 as published by the PostgreSQL developers:

Are there any known exploits “in the wild” for this vulnerability?

There are no known exploits at the time of release.

Who is particularly vulnerable because of this issue?

Any system that allows unrestricted access to the PostgreSQL network port, such as users running PostgreSQL on a public cloud, is especially vulnerable. Users whose servers are only accessible on protected internal networks, or who have effective firewalling or other network access restrictions, are less vulnerable.

This is a good general rule for database security: do not allow port access to the database server from untrusted networks unless it is absolutely necessary. This is as true, or more true, of other database systems as it is of PostgreSQL.

What is the nature of the vulnerability?

The vulnerability allows users to use a command-line switch for a PostgreSQL connection intended for single-user recovery mode while PostgreSQL is running in normal, multiuser mode. This can be used to harm the server.

What potential exploits are enabled by this vulnerability?

  1. Persistent Denial of Service: an unauthenticated attacker may use this vulnerability to cause PostgreSQL error messages to be appended to targeted files in the PostgreSQL data directory on the server. Files corrupted in this way may cause the database server to crash, and to refuse to restart. The database server can be fixed either by editing the files and removing the garbage text, or restoring from backup.
  2. Configuration Setting Privilege Escalation: in the event that an attacker has a legitimate login on the database server, and the server is configured such that this user name and the database name are identical (e.g. user web, database web), then this vulnerability may be used to temporarily set one configuration variable with the privileges of the superuser.
  3. Arbitrary Code Execution: if the attacker meets all of the qualifications under 2 above, and has the ability to save files to the filesystem as well (even to the tmp directory), then they can use the vulnerability to load and execute arbitrary C code. SELinux will prevent this specific type of exploit.

Which major versions of PostgreSQL are affected?

Versions 9.0, 9.1 and 9.2.

Users of version 8.4 are not affected. Users of version 8.3 and earlier are not affected by this issue, but are vulnerable to other unpatched security vulnerabilities, since those versions are EOL.

How can users protect themselves?

  • Download the update release and update all of your servers as soon as possible.
  • Ensure that PostgreSQL is not open to connections from untrusted networks.
  • Audit your database users to be certain that all logins require proper credentials, and that the only logins which exist are legitimate and in current use.

Use of advanced security frameworks, such as SELinux with PostgreSQL’s SEPostgres extension, also lessen or eliminate the exposure and potential damage from PostgreSQL security vulnerabilities.

See the complete FAQ on this release for more information on how the vulnerability was discovered, reported and who had access to the information and fix prior to the release being made generally available.

This entry was posted in Postgres on by .
Stacey Schneider

About Stacey Schneider

Stacey Schneider has over 15 years of working with technology, with a focus on working with sales and marketing automation as well as internationalization. Schneider has held roles in services, engineering, products and was the former head of marketing and community for Hyperic before it was acquired by SpringSource and VMware. She is now working as a product marketing manager across the vFabric products at VMware, including supporting Hyperic. Prior to Hyperic, Schneider held various positions at CRM software pioneer Siebel Systems, including Group Director of Technology Product Marketing, a role for which her contributions awarded her a patent. Schneider received her BS in Economics with a focus in International Business from the Pennsylvania State University.

29 thoughts on “PostgreSQL Security Release Now Available

  1. سرور مجازی ایران

    Excellent post

    1. نمایندگی تعمیرات سامسونگ


  2. ims2014.in


  3. goodkandom.in

    ert5rtytrghgh ghgfghgfhfgvbfgfdgdf

  4. peplum.in

    mcvmnvcbmnvm hsadasdghs euwriewurieoruieow eeruieeo

  5. isrfg2013.in

    optyuytouoi ,m nbkmbnbkm hnfghfdgufd

  6. خرید کاندوم

    خرید کاندوم

  7. آهنگ ایرانی

    آهنگ ایرانی

  8. بلیط ارزان هواپیما

    I am very happy to have found this information that I have been looking for

  9. قیمت بلیط هواپیما

    A great deal of research has been done on the topic.Read more on my site and if you are looking for a news site,checkout this

  10. بلیط قطار

    tansk sir

  11. آنتی ویروس

    thanks for the post

  12. خرید بلیط هواپیما

    le macaque, çà fait genre

  13. سئو

    do agree with all of the ideas you have offered on your post. They’re very convincing and will certainly work. Still, the posts are very quick for novices. May just you please extend them a bit from next time? Thank you for the post.

  14. تور لحظه آخری

    We and our members of our company have liked the site so much that we look at your site every day. We always pray you and your colleagues that your good luck will also pray to us to succeed in this.

  15. 99Papers.com

    Wow, great news, good to hear that information about release

  16. 99Papers.com

    Really great information, thanks

  17. tavandarman

    tavandarmanis best site in online consultation

  18. Morgan Alice

    Oh thank God feel relax after read this Release about PostgreSQL Security . I was looking to get information about PostgreSQL Security because I am student of diploma and my teacher give me a cipd assignment writing project about PostgreSQL Security that’s the reason I was looking for this but now I have got good information about it from here and from searching internet. But now I am satisfied after getting this huge relevant information from here.

  19. xxxreal.com

    Finally, I was waiting for this release for a while!

  20. eyemassagers.net

    Great news, will add to my library !

  21. چسب یو وی

    Great news, will add to my library !

  22. VapingDaily

    Great news that PostgreSQL Security is already available, we been waiting on it for a while!

  23. خرید عمده موکت

    thanks vmware

  24. pinoy channel flix

    All the time you will be get online the pinoy replays in hd. Pinoy channel is one of the most popular replays which you will be watch all the time online.

  25. نماشویی

    Really great article, thanks

  26. Yarkoweb

    I have this version “Versions 9.0, 9.1 and 9.2.” Din’t effect me

  27. David Smith

    Hii, Thanks for sharing this information with us. We have Best Juul Pods for Nicotine in an affordable price with number of option available for your favorite Juul Pods. Order now! And feel the difference best and average Pods for Nicotine. For more detail contact us.

  28. مشاوره روانشناسی



Leave a Reply

Your email address will not be published. Required fields are marked *