Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Password Flaws Patched in PostgreSQL

Security updates released last week by the developers of the open source object-relational database management system PostgreSQL address three vulnerabilities and more than 50 bugs reported in the last three months.

Security updates released last week by the developers of the open source object-relational database management system PostgreSQL address three vulnerabilities and more than 50 bugs reported in the last three months.

PostgreSQL, currently the fourth most popular database system, is affected by a vulnerability related to some authentication methods accepting empty passwords. Developers fixed the problem by disallowing empty passwords for all authentication methods.

“libpq, and by extension any connection driver that utilizes libpq, ignores empty passwords and does not transmit them to the server. When using libpq or a libpq-based connection driver to perform password-based authentication methods, it would appear that setting an empty password would be the equivalent of disabling password login. However, using a non-libpq based connection driver could allow a client with an empty password to log in,” PostgreSQL explained.

The flaw, tracked as CVE-2017-7546, is considered the most serious of the issues patched with the latest security updates, with a class “A” rating, which indicates that it can be exploited for privilege escalation without requiring prior login.

Another password-related issue is CVE-2017-7547, which could result in passwords being leaked to unauthorized users. This is the second attempt at patching this flaw, initially tracked as CVE-2017-7486.

PostgreSQL developers pointed out that applying the patch will only address the problem in new databases; a series of steps need to be taken to resolve the problem in existing databases.

The third vulnerability, tracked as CVE-2017-7548, can be exploited by any user to change data in a large object. The weakness exists due to the lack of a permission check associated with the lo_put() function, which should require the same permissions as lowrite().

Tom Lane, Michael Paquier, Heikki Linnakangas and Noah Misch have been credited for finding these vulnerabilities.

PostgreSQL users have been advised to update their installations as soon as possible to versions 9.6.4, 9.5.8, 9.4.13, 9.3.18 and 9.2.22. Users have been warned that version 9.2 will reach end-of-life in September 2017 and it will likely receive only one more update.

Related: Critical MySQL Zero-Day Exposes Servers to Attacks

Related: MongoDB Databases Actively Hijacked for Extortion

Related: Serious Vulnerabilities Found in Riverbed SteelCentral Portal

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.