SB202502194479 - Amazon Linux AMI update for postgresql15

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Out-of-bounds read (CVE-ID: CVE-2022-41862)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A remote attacker can send an unterminated string during the establishment of Kerberos transport encryption, trigger an out-of-bounds read error and read contents of memory on the system.

2) Security features bypass (CVE-ID: CVE-2023-2455)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to incomplete fix for #VU40402 (CVE-2016-2193) that did not anticipate a scenario involving function inlining. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications.

This affects only databases that have used CREATE POLICY to define a row security policy.

3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-39418)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to the MERGE command does not properly enforce UPDATE or SELECT row security policies. A remote user can read or update protected data.

4) Security Features (CVE-ID: CVE-2016-2193)

The vulnerability allows a remote non-authenticated attacker to manipulate data.

PostgreSQL before 9.5.x before 9.5.2 does not properly maintain row-security status in cached plans, which might allow attackers to bypass intended access restrictions by leveraging a session that performs queries as more than one role.

Remediation

Install update from vendor's website.

References

• https://alas.aws.amazon.com/AL2023/ALAS-2023-387.html