#VU58114 Missing Encryption of Sensitive Data in PostgreSQL - CVE-2021-23222


Vulnerability identifier: #VU58114

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-23222

CWE-ID: CWE-311

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way the libpq process in PostgreSQL handles encrypted connections. A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. The attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 9.6.0 - 9.6.23, 10.0 - 14.0

External links
https://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


VMware Tanzu Operations Manager update for PostgreSQL
Ubuntu update for postgresql-9.5
Gentoo update for PostgreSQL
openEuler 22.03 LTS update for postgresql
Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management Infrastructure Management
SUSE update for postgresql12
SUSE update for postgresql10
Multiple vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes (RHACS)
Multiple vulnerabilities in Red Hat Advanced Cluster Security for Kubernetes (RHACS)
Anolis OS update for libpq