Amazon Linux AMI update for postgresql15

Published: 2025-02-19

Risk	Medium
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2023-39417
CWE-ID	CWE-89
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system postgresql15 Operating systems & Components / Operating system package or component
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) SQL injection

EUVDB-ID: #VU79454

Risk: Medium

CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-39417

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data within the extension script @substitutions@, which uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Mitigation

Update the affected packages:

aarch64:
    postgresql15-server-devel-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-server-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-pltcl-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-upgrade-devel-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-llvmjit-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-private-devel-15.0-1.amzn2023.0.4.aarch64
    postgresql15-plpython3-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-15.0-1.amzn2023.0.4.aarch64
    postgresql15-private-libs-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-contrib-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-private-libs-15.0-1.amzn2023.0.4.aarch64
    postgresql15-plpython3-15.0-1.amzn2023.0.4.aarch64
    postgresql15-test-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-server-15.0-1.amzn2023.0.4.aarch64
    postgresql15-upgrade-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-static-15.0-1.amzn2023.0.4.aarch64
    postgresql15-docs-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-upgrade-15.0-1.amzn2023.0.4.aarch64
    postgresql15-upgrade-devel-15.0-1.amzn2023.0.4.aarch64
    postgresql15-server-devel-15.0-1.amzn2023.0.4.aarch64
    postgresql15-plperl-debuginfo-15.0-1.amzn2023.0.4.aarch64
    postgresql15-contrib-15.0-1.amzn2023.0.4.aarch64
    postgresql15-pltcl-15.0-1.amzn2023.0.4.aarch64
    postgresql15-llvmjit-15.0-1.amzn2023.0.4.aarch64
    postgresql15-test-15.0-1.amzn2023.0.4.aarch64
    postgresql15-plperl-15.0-1.amzn2023.0.4.aarch64
    postgresql15-docs-15.0-1.amzn2023.0.4.aarch64
    postgresql15-debugsource-15.0-1.amzn2023.0.4.aarch64

noarch:
    postgresql15-test-rpm-macros-15.0-1.amzn2023.0.4.noarch

src:
    postgresql15-15.0-1.amzn2023.0.4.src

x86_64:
    postgresql15-upgrade-devel-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-private-libs-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-llvmjit-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-server-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-test-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-plperl-15.0-1.amzn2023.0.4.x86_64
    postgresql15-plpython3-15.0-1.amzn2023.0.4.x86_64
    postgresql15-server-devel-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-docs-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-test-15.0-1.amzn2023.0.4.x86_64
    postgresql15-pltcl-15.0-1.amzn2023.0.4.x86_64
    postgresql15-15.0-1.amzn2023.0.4.x86_64
    postgresql15-static-15.0-1.amzn2023.0.4.x86_64
    postgresql15-plpython3-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-private-libs-15.0-1.amzn2023.0.4.x86_64
    postgresql15-plperl-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-private-devel-15.0-1.amzn2023.0.4.x86_64
    postgresql15-pltcl-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-docs-15.0-1.amzn2023.0.4.x86_64
    postgresql15-server-devel-15.0-1.amzn2023.0.4.x86_64
    postgresql15-upgrade-15.0-1.amzn2023.0.4.x86_64
    postgresql15-llvmjit-15.0-1.amzn2023.0.4.x86_64
    postgresql15-contrib-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-upgrade-debuginfo-15.0-1.amzn2023.0.4.x86_64
    postgresql15-server-15.0-1.amzn2023.0.4.x86_64
    postgresql15-contrib-15.0-1.amzn2023.0.4.x86_64
    postgresql15-upgrade-devel-15.0-1.amzn2023.0.4.x86_64
    postgresql15-debugsource-15.0-1.amzn2023.0.4.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

postgresql15: before 15.0-1

CPE2.3

External links

https://alas.aws.amazon.com/AL2023/ALAS-2023-322.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.