#VU59043 Memory leak in PostgreSQL - CVE-2021-3677

Cybersecurity Help s.r.o.

Published: 2021-12-16

Vulnerability identifier: #VU59043

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2021-3677

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description
The vulnerability allows a remote user to perform DoS attack or gain access to sensitive information.

The vulnerability exists due memory leak during parallel sort operations. A remote user can force the application to leak memory and perform denial of service attack or read arbitrary memory parts on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 11.0 - 13.3

External links
https://bugzilla.redhat.com/show_bug.cgi?id=2001857
https://www.postgresql.org/docs/release/13.4/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

openEuler 20.03 LTS SP4 update for postgresql-13

Multiple vulnerabilities in IBM Spectrum Protect Plus

Gentoo update for PostgreSQL

SUSE update for postgresql12

Multiple vulnerabilities in IBM QRadar SIEM

openEuler 22.03 LTS update for libpq

Red Hat Virtualization update for postgresql

Multiple vulnerabilities in IBM Security Guardium

Anolis OS update for postgresql:12 module

Anolis OS update for postgresql:13 module