#VU314 Arbitrary code execution in PostgreSQL and Oracle Linux - CVE-2016-5423


| Updated: 2017-01-11

Vulnerability identifier: #VU314

Vulnerability risk: Critical

CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red]

CVE-ID: CVE-2016-5423

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software
Oracle Linux
Operating systems & Components / Operating system

Vendor: PostgreSQL Global Development Group
Oracle

Description
The vulnerability allows a remote attacker to execute arbitrary code,

The vulnerability exists in PostgreSQL. A remote authenticated attacker can cause the target server to crash, disclose portions of server memory, or potentially execute arbitrary code by submiting specially crafted SQL statements containing CASE/WHEN commands.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install the following versions: (9.1.23, 9.2.18, 9.3.14, 9.4.9, 9.5.4).

Vulnerable software versions

PostgreSQL: 9.1

Oracle Linux: 7

External links
https://www.postgresql.org/about/news/1688/
https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat update for rh-postgresql95-postgresql
OpenSUSE Linux update for postgresql93
Gentoo update for PostgreSQL
OpenSUSE Linux update for postgresql94
OpenSUSE Linux update for postgresql93
SUSE Linux update for postgresql94
SUSE Linux update for postgresql94
SUSE Linux update for postgresql93
Amazon Linux AMI update for postgresql92, postgresql93, postgresql94
Ubuntu update for PostgreSQL