SUSE update for postgresql12



Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2021-23214
CVE-2021-23222
CWE-ID CWE-311
Exploitation vector Local network
Public exploit N/A
Vulnerable software
 SUSE Linux Enterprise Module for Legacy Software
Operating systems & Components / Operating system

SUSE Linux Enterprise Module for Server Applications
Operating systems & Components / Operating system

SUSE Linux Enterprise Module for Basesystem
Operating systems & Components / Operating system

SUSE Linux Enterprise Module for Packagehub Subpackages
Operating systems & Components / Operating system package or component

postgresql12
Operating systems & Components / Operating system package or component

postgresql12-test
Operating systems & Components / Operating system package or component

postgresql12-llvmjit-debuginfo
Operating systems & Components / Operating system package or component

postgresql12-llvmjit
Operating systems & Components / Operating system package or component

postgresql12-docs
Operating systems & Components / Operating system package or component

postgresql12-server-devel-debuginfo
Operating systems & Components / Operating system package or component

postgresql12-server-devel
Operating systems & Components / Operating system package or component

postgresql12-server-debuginfo
Operating systems & Components / Operating system package or component

postgresql12-server
Operating systems & Components / Operating system package or component

postgresql12-pltcl-debuginfo
Operating systems & Components / Operating system package or component

postgresql12-pltcl
Operating systems & Components / Operating system package or component

postgresql12-plpython-debuginfo
Operating systems & Components / Operating system package or component

postgresql12-plpython
Operating systems & Components / Operating system package or component

postgresql12-plperl-debuginfo
Operating systems & Components / Operating system package or component

postgresql12-plperl
Operating systems & Components / Operating system package or component

postgresql12-devel-debuginfo
Operating systems & Components / Operating system package or component

postgresql12-devel
Operating systems & Components / Operating system package or component

postgresql12-debugsource
Operating systems & Components / Operating system package or component

postgresql12-debuginfo
Operating systems & Components / Operating system package or component

postgresql12-contrib-debuginfo
Operating systems & Components / Operating system package or component

postgresql12-contrib
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Missing Encryption of Sensitive Data

EUVDB-ID: #VU58113

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-23214

CWE-ID: CWE-311 - Missing Encryption of Sensitive Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way PostgreSQL handles encrypted connections. When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.

Mitigation

Update the affected package postgresql12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Legacy Software: 15-SP3

SUSE Linux Enterprise Module for Packagehub Subpackages: 15-SP2 - 15-SP3

SUSE Linux Enterprise Module for Server Applications: 15-SP2

SUSE Linux Enterprise Module for Basesystem: 15-SP2

postgresql12: before 12.9-8.26.1

postgresql12-test: before 12.9-8.26.1

postgresql12-llvmjit-debuginfo: before 12.9-8.26.1

postgresql12-llvmjit: before 12.9-8.26.1

postgresql12-docs: before 12.9-8.26.1

postgresql12-server-devel-debuginfo: before 12.9-8.26.1

postgresql12-server-devel: before 12.9-8.26.1

postgresql12-server-debuginfo: before 12.9-8.26.1

postgresql12-server: before 12.9-8.26.1

postgresql12-pltcl-debuginfo: before 12.9-8.26.1

postgresql12-pltcl: before 12.9-8.26.1

postgresql12-plpython-debuginfo: before 12.9-8.26.1

postgresql12-plpython: before 12.9-8.26.1

postgresql12-plperl-debuginfo: before 12.9-8.26.1

postgresql12-plperl: before 12.9-8.26.1

postgresql12-devel-debuginfo: before 12.9-8.26.1

postgresql12-devel: before 12.9-8.26.1

postgresql12-debugsource: before 12.9-8.26.1

postgresql12-debuginfo: before 12.9-8.26.1

postgresql12-contrib-debuginfo: before 12.9-8.26.1

postgresql12-contrib: before 12.9-8.26.1

CPE2.3 External links

https://www.suse.com/support/update/announcement/2021/suse-su-20213758-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Missing Encryption of Sensitive Data

EUVDB-ID: #VU58114

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-23222

CWE-ID: CWE-311 - Missing Encryption of Sensitive Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way the libpq process in PostgreSQL handles encrypted connections. A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. The attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session.

Mitigation

Update the affected package postgresql12 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Module for Legacy Software: 15-SP3

SUSE Linux Enterprise Module for Packagehub Subpackages: 15-SP2 - 15-SP3

SUSE Linux Enterprise Module for Server Applications: 15-SP2

SUSE Linux Enterprise Module for Basesystem: 15-SP2

postgresql12: before 12.9-8.26.1

postgresql12-test: before 12.9-8.26.1

postgresql12-llvmjit-debuginfo: before 12.9-8.26.1

postgresql12-llvmjit: before 12.9-8.26.1

postgresql12-docs: before 12.9-8.26.1

postgresql12-server-devel-debuginfo: before 12.9-8.26.1

postgresql12-server-devel: before 12.9-8.26.1

postgresql12-server-debuginfo: before 12.9-8.26.1

postgresql12-server: before 12.9-8.26.1

postgresql12-pltcl-debuginfo: before 12.9-8.26.1

postgresql12-pltcl: before 12.9-8.26.1

postgresql12-plpython-debuginfo: before 12.9-8.26.1

postgresql12-plpython: before 12.9-8.26.1

postgresql12-plperl-debuginfo: before 12.9-8.26.1

postgresql12-plperl: before 12.9-8.26.1

postgresql12-devel-debuginfo: before 12.9-8.26.1

postgresql12-devel: before 12.9-8.26.1

postgresql12-debugsource: before 12.9-8.26.1

postgresql12-debuginfo: before 12.9-8.26.1

postgresql12-contrib-debuginfo: before 12.9-8.26.1

postgresql12-contrib: before 12.9-8.26.1

CPE2.3 External links

https://www.suse.com/support/update/announcement/2021/suse-su-20213758-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###