SUSE update for postgresql10

Published: 2022-08-25

Risk	Medium
Patch available	YES
Number of vulnerabilities	4
CVE-ID	CVE-2021-23214 CVE-2021-23222 CVE-2022-1552 CVE-2022-2625
CWE-ID	CWE-311 CWE-264
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	SUSE Linux Enterprise Server for SAP Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing Operating systems & Components / Operating system SUSE Enterprise Storage Operating systems & Components / Operating system SUSE CaaS Platform Operating systems & Components / Operating system SUSE Linux Enterprise Server Operating systems & Components / Operating system libpq5-32bit-debuginfo Operating systems & Components / Operating system package or component libpq5-32bit Operating systems & Components / Operating system package or component postgresql10-docs Operating systems & Components / Operating system package or component postgresql10-server-debuginfo Operating systems & Components / Operating system package or component postgresql10-server Operating systems & Components / Operating system package or component postgresql10-pltcl-debuginfo Operating systems & Components / Operating system package or component postgresql10-pltcl Operating systems & Components / Operating system package or component postgresql10-plpython-debuginfo Operating systems & Components / Operating system package or component postgresql10-plpython Operating systems & Components / Operating system package or component postgresql10-plperl-debuginfo Operating systems & Components / Operating system package or component postgresql10-plperl Operating systems & Components / Operating system package or component postgresql10-devel-debuginfo Operating systems & Components / Operating system package or component postgresql10-devel Operating systems & Components / Operating system package or component postgresql10-debugsource Operating systems & Components / Operating system package or component postgresql10-debuginfo Operating systems & Components / Operating system package or component postgresql10-contrib-debuginfo Operating systems & Components / Operating system package or component postgresql10-contrib Operating systems & Components / Operating system package or component postgresql10 Operating systems & Components / Operating system package or component libpq5-debuginfo Operating systems & Components / Operating system package or component libpq5 Operating systems & Components / Operating system package or component libecpg6-debuginfo Operating systems & Components / Operating system package or component libecpg6 Operating systems & Components / Operating system package or component postgresql-server-devel Operating systems & Components / Operating system package or component postgresql-server Operating systems & Components / Operating system package or component postgresql-pltcl Operating systems & Components / Operating system package or component postgresql-plpython Operating systems & Components / Operating system package or component postgresql-plperl Operating systems & Components / Operating system package or component postgresql-docs Operating systems & Components / Operating system package or component postgresql-devel Operating systems & Components / Operating system package or component postgresql-contrib Operating systems & Components / Operating system package or component postgresql Operating systems & Components / Operating system package or component
Vendor	SUSE

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Missing Encryption of Sensitive Data

EUVDB-ID: #VU58113

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-23214

CWE-ID: CWE-311 - Missing Encryption of Sensitive Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way PostgreSQL handles encrypted connections. When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.

Mitigation

Update the affected package postgresql10 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP2

SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-SP1-ESPOS

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS

libpq5-32bit-debuginfo: before 10.22-150000.4.42.1

libpq5-32bit: before 10.22-150000.4.42.1

postgresql10-docs: before 10.22-150000.4.42.1

postgresql10-server-debuginfo: before 10.22-150000.4.42.1

postgresql10-server: before 10.22-150000.4.42.1

postgresql10-pltcl-debuginfo: before 10.22-150000.4.42.1

postgresql10-pltcl: before 10.22-150000.4.42.1

postgresql10-plpython-debuginfo: before 10.22-150000.4.42.1

postgresql10-plpython: before 10.22-150000.4.42.1

postgresql10-plperl-debuginfo: before 10.22-150000.4.42.1

postgresql10-plperl: before 10.22-150000.4.42.1

postgresql10-devel-debuginfo: before 10.22-150000.4.42.1

postgresql10-devel: before 10.22-150000.4.42.1

postgresql10-debugsource: before 10.22-150000.4.42.1

postgresql10-debuginfo: before 10.22-150000.4.42.1

postgresql10-contrib-debuginfo: before 10.22-150000.4.42.1

postgresql10-contrib: before 10.22-150000.4.42.1

postgresql10: before 10.22-150000.4.42.1

libpq5-debuginfo: before 10.22-150000.4.42.1

libpq5: before 10.22-150000.4.42.1

libecpg6-debuginfo: before 10.22-150000.4.42.1

libecpg6: before 10.22-150000.4.42.1

postgresql-server-devel: before 12.0.1-150000.8.19.1

postgresql-server: before 12.0.1-150000.8.19.1

postgresql-pltcl: before 12.0.1-150000.8.19.1

postgresql-plpython: before 12.0.1-150000.8.19.1

postgresql-plperl: before 12.0.1-150000.8.19.1

postgresql-docs: before 12.0.1-150000.8.19.1

postgresql-devel: before 12.0.1-150000.8.19.1

postgresql-contrib: before 12.0.1-150000.8.19.1

postgresql: before 12.0.1-150000.8.19.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2022/suse-su-20222893-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Missing Encryption of Sensitive Data

EUVDB-ID: #VU58114

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-23222

CWE-ID: CWE-311 - Missing Encryption of Sensitive Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way the libpq process in PostgreSQL handles encrypted connections. A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. The attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session.

Mitigation

Update the affected package postgresql10 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP2

SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-SP1-ESPOS

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS

libpq5-32bit-debuginfo: before 10.22-150000.4.42.1

libpq5-32bit: before 10.22-150000.4.42.1

postgresql10-docs: before 10.22-150000.4.42.1

postgresql10-server-debuginfo: before 10.22-150000.4.42.1

postgresql10-server: before 10.22-150000.4.42.1

postgresql10-pltcl-debuginfo: before 10.22-150000.4.42.1

postgresql10-pltcl: before 10.22-150000.4.42.1

postgresql10-plpython-debuginfo: before 10.22-150000.4.42.1

postgresql10-plpython: before 10.22-150000.4.42.1

postgresql10-plperl-debuginfo: before 10.22-150000.4.42.1

postgresql10-plperl: before 10.22-150000.4.42.1

postgresql10-devel-debuginfo: before 10.22-150000.4.42.1

postgresql10-devel: before 10.22-150000.4.42.1

postgresql10-debugsource: before 10.22-150000.4.42.1

postgresql10-debuginfo: before 10.22-150000.4.42.1

postgresql10-contrib-debuginfo: before 10.22-150000.4.42.1

postgresql10-contrib: before 10.22-150000.4.42.1

postgresql10: before 10.22-150000.4.42.1

libpq5-debuginfo: before 10.22-150000.4.42.1

libpq5: before 10.22-150000.4.42.1

libecpg6-debuginfo: before 10.22-150000.4.42.1

libecpg6: before 10.22-150000.4.42.1

postgresql-server-devel: before 12.0.1-150000.8.19.1

postgresql-server: before 12.0.1-150000.8.19.1

postgresql-pltcl: before 12.0.1-150000.8.19.1

postgresql-plpython: before 12.0.1-150000.8.19.1

postgresql-plperl: before 12.0.1-150000.8.19.1

postgresql-docs: before 12.0.1-150000.8.19.1

postgresql-devel: before 12.0.1-150000.8.19.1

postgresql-contrib: before 12.0.1-150000.8.19.1

postgresql: before 12.0.1-150000.8.19.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2022/suse-su-20222893-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU63126

Risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-1552

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to incorrectly imposed security restrictions in Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck. A remote authenticated user with permission to create non-temp objects can execute arbitrary SQL functions under a superuser identity and escalate privileges within the application.

Mitigation

Update the affected package postgresql10 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP2

SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-SP1-ESPOS

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS

libpq5-32bit-debuginfo: before 10.22-150000.4.42.1

libpq5-32bit: before 10.22-150000.4.42.1

postgresql10-docs: before 10.22-150000.4.42.1

postgresql10-server-debuginfo: before 10.22-150000.4.42.1

postgresql10-server: before 10.22-150000.4.42.1

postgresql10-pltcl-debuginfo: before 10.22-150000.4.42.1

postgresql10-pltcl: before 10.22-150000.4.42.1

postgresql10-plpython-debuginfo: before 10.22-150000.4.42.1

postgresql10-plpython: before 10.22-150000.4.42.1

postgresql10-plperl-debuginfo: before 10.22-150000.4.42.1

postgresql10-plperl: before 10.22-150000.4.42.1

postgresql10-devel-debuginfo: before 10.22-150000.4.42.1

postgresql10-devel: before 10.22-150000.4.42.1

postgresql10-debugsource: before 10.22-150000.4.42.1

postgresql10-debuginfo: before 10.22-150000.4.42.1

postgresql10-contrib-debuginfo: before 10.22-150000.4.42.1

postgresql10-contrib: before 10.22-150000.4.42.1

postgresql10: before 10.22-150000.4.42.1

libpq5-debuginfo: before 10.22-150000.4.42.1

libpq5: before 10.22-150000.4.42.1

libecpg6-debuginfo: before 10.22-150000.4.42.1

libecpg6: before 10.22-150000.4.42.1

postgresql-server-devel: before 12.0.1-150000.8.19.1

postgresql-server: before 12.0.1-150000.8.19.1

postgresql-pltcl: before 12.0.1-150000.8.19.1

postgresql-plpython: before 12.0.1-150000.8.19.1

postgresql-plperl: before 12.0.1-150000.8.19.1

postgresql-docs: before 12.0.1-150000.8.19.1

postgresql-devel: before 12.0.1-150000.8.19.1

postgresql-contrib: before 12.0.1-150000.8.19.1

postgresql: before 12.0.1-150000.8.19.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2022/suse-su-20222893-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU66429

Risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-2625

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote user to escalate privileges within the database.

The vulnerability exists due to extension scripts can replace objects that do not belong to the extension when using the CREATE OR REPLACE or CREATE IF NOT EXISTS commands. A remote user with (1) permissions to create non-temporary objects in at least one schema, (2) ability to lure or wait for an administrator to create or update an affected extension in that schema, and (3) ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS can run arbitrary code as the victim role.

Mitigation

Update the affected package postgresql10 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP: 15-SP1 - 15-SP2

SUSE Linux Enterprise High Performance Computing: 15-LTSS - 15-SP1-ESPOS

SUSE Enterprise Storage: 6

SUSE CaaS Platform: 4.0

SUSE Linux Enterprise Server: 15-LTSS - 15-SP1-LTSS

libpq5-32bit-debuginfo: before 10.22-150000.4.42.1

libpq5-32bit: before 10.22-150000.4.42.1

postgresql10-docs: before 10.22-150000.4.42.1

postgresql10-server-debuginfo: before 10.22-150000.4.42.1

postgresql10-server: before 10.22-150000.4.42.1

postgresql10-pltcl-debuginfo: before 10.22-150000.4.42.1

postgresql10-pltcl: before 10.22-150000.4.42.1

postgresql10-plpython-debuginfo: before 10.22-150000.4.42.1

postgresql10-plpython: before 10.22-150000.4.42.1

postgresql10-plperl-debuginfo: before 10.22-150000.4.42.1

postgresql10-plperl: before 10.22-150000.4.42.1

postgresql10-devel-debuginfo: before 10.22-150000.4.42.1

postgresql10-devel: before 10.22-150000.4.42.1

postgresql10-debugsource: before 10.22-150000.4.42.1

postgresql10-debuginfo: before 10.22-150000.4.42.1

postgresql10-contrib-debuginfo: before 10.22-150000.4.42.1

postgresql10-contrib: before 10.22-150000.4.42.1

postgresql10: before 10.22-150000.4.42.1

libpq5-debuginfo: before 10.22-150000.4.42.1

libpq5: before 10.22-150000.4.42.1

libecpg6-debuginfo: before 10.22-150000.4.42.1

libecpg6: before 10.22-150000.4.42.1

postgresql-server-devel: before 12.0.1-150000.8.19.1

postgresql-server: before 12.0.1-150000.8.19.1

postgresql-pltcl: before 12.0.1-150000.8.19.1

postgresql-plpython: before 12.0.1-150000.8.19.1

postgresql-plperl: before 12.0.1-150000.8.19.1

postgresql-docs: before 12.0.1-150000.8.19.1

postgresql-devel: before 12.0.1-150000.8.19.1

postgresql-contrib: before 12.0.1-150000.8.19.1

postgresql: before 12.0.1-150000.8.19.1

CPE2.3

External links

https://www.suse.com/support/update/announcement/2022/suse-su-20222893-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.