Headline
Varonis Warns of Bug Discovered in PostgreSQL PL/Perl
Several versions of PostgreSQL are impacted, and customers will need to upgrade in order to patch.
Source: tofino via Alamy Stock Photo
Researchers at Varonis discovered a vulnerability within Postgres language extension PL/Perl, allowing a user to set arbitrary environment variables in PostgreSQL session processes.
The vulnerability was given a CVSS 8.8 score for severity and could lead to severe security issues, depending on the scenario where it’s exploited.
Tracked as CVE-2024-10979, the flaw allows a threat actor to modify a sensitive environment, ultimately allowing them to execute arbitrary code without accessing a user of the operating system.
The vulnerability also allows a threat actor to run additional queries to gather information on the machine and its contents.
Versions preceding PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected by this vulnerability and can be mitigated by upgrading to PostgreSQL, “to the latest minor version at a minimum,” according to the researchers, as well as restricting allowed extensions.
Postgres customers should also examine ddl logs for creation of functions they do not recognize or did not create themselves to assess if they have been impacted.
About the Author
Related news
Red Hat Security Advisory 2024-10750-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-10739-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-10736-03 - An update for the postgresql:15 module is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Issues addressed include a code execution vulnerability.
Red Hat Security Advisory 2024-10705-03 - An update for the postgresql:12 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a code execution vulnerability.
Ubuntu Security Notice 7132-1 - It was discovered that PostgreSQL incorrectly tracked tables with row security. A remote attacker could possibly use this issue to perform forbidden reads and modifications. Jacob Champion discovered that PostgreSQL clients used untrusted server error messages. An attacker that is able to intercept network communications could possibly use this issue to inject error messages that could be interpreted as valid query results.
Red Hat Security Advisory 2024-10677-03 - An update for the postgresql:13 module is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Issues addressed include a code execution vulnerability.
Debian Linux Security Advisory 5812-1 - Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation or log manipulation.
Cybersecurity researchers at Varonis have identified a serious security vulnerability in PostgreSQL that could lead to data breaches…