• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

PostgreSQL Update Fixes Critical Security Flaw

April 4, 2013 By Corey Nachreiner

If you’re a web developer or database administrator, you’ve surely heard of PostgreSQL (or Postgres for short); a relatively popular object-relational database management system (ORDBMS). According to an alert posted today, the PostgreSQL Global Development Group (PGDG) released security updates for the latest releases of the popular Postgres database system.

The updates fix five vulnerabilities in the latest versions of Postgres, including version 8.4.x and above. The most serious of the flaws allows an unauthenticated attacker to write data to any accessible file on your Postgres server, including critical database files. The Postgres folks call this a Denial of Service (DoS) attack, but I think it’s a bit worse than that, since it can also allow attackers to corrupt your database files. Furthermore, if an attacker can obtain a valid login to your server, even as an underprivileged user, he could also exploit this flaw to elevate his privileges to a superuser, and execute arbitrary code. That said, the attacker can only pull this off if you allow external access to the Postgres ports (typically TCP 5432).

This flaw was first discovered externally, by two Japanese security researchers. They found that a particular cloud service called Heroku was especially vulnerable to this issue, since it makes Postgres servers publicly accessible online. According to their blog post, Postgres offered the fix to Heroku a few days before today’s public release, which illustrates the seriousness of this issue. In short, if you manage a PostgreSQL server, we recommend you apply the proper updates as soon as possible. You can learn more about this vulnerability and the update in PostGres’ FAQ about the issue.

As an aside, inquisitive users may realize that we use Postgres in a number of our products, including our WSM Logging and Reporting servers, and our XCS appliances. I can happily report our implementations of Postgres are not vulnerable to these issues, because we don’t use the vulnerable versions, nor do we expose the Postgres service in a way that an attacker could leverage this flaw.  — Corey Nachreiner, CISSP (@SecAdept)

Share This:

Related

Filed Under: Uncategorized Tagged With: PostgreSQL, Software vulnerabilities, SQL, Zero day exploit

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • An Update on Section 230

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • 3CX Supply Chain Attack
  • The NSA’s Guidance on Securing Authentication
  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use