Security updates released last week by the developers of the open source object-relational database management system PostgreSQL address three vulnerabilities and more than 50 bugs reported in the last three months.
PostgreSQL, currently the fourth most popular database system, is affected by a vulnerability related to some authentication methods accepting empty passwords. Developers fixed the problem by disallowing empty passwords for all authentication methods.
“libpq, and by extension any connection driver that utilizes libpq, ignores empty passwords and does not transmit them to the server. When using libpq or a libpq-based connection driver to perform password-based authentication methods, it would appear that setting an empty password would be the equivalent of disabling password login. However, using a non-libpq based connection driver could allow a client with an empty password to log in,” PostgreSQL explained.
The flaw, tracked as CVE-2017-7546, is considered the most serious of the issues patched with the latest security updates, with a class “A” rating, which indicates that it can be exploited for privilege escalation without requiring prior login.
Another password-related issue is CVE-2017-7547, which could result in passwords being leaked to unauthorized users. This is the second attempt at patching this flaw, initially tracked as CVE-2017-7486.
PostgreSQL developers pointed out that applying the patch will only address the problem in new databases; a series of steps need to be taken to resolve the problem in existing databases.
The third vulnerability, tracked as CVE-2017-7548, can be exploited by any user to change data in a large object. The weakness exists due to the lack of a permission check associated with the lo_put() function, which should require the same permissions as lowrite().
Tom Lane, Michael Paquier, Heikki Linnakangas and Noah Misch have been credited for finding these vulnerabilities.
PostgreSQL users have been advised to update their installations as soon as possible to versions 9.6.4, 9.5.8, 9.4.13, 9.3.18 and 9.2.22. Users have been warned that version 9.2 will reach end-of-life in September 2017 and it will likely receive only one more update.
Related: Critical MySQL Zero-Day Exposes Servers to Attacks
Related: MongoDB Databases Actively Hijacked for Extortion
Related: Serious Vulnerabilities Found in Riverbed SteelCentral Portal
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
