If you’re a web developer or database administrator, you’ve surely heard of PostgreSQL (or Postgres for short); a relatively popular object-relational database management system (ORDBMS). According to an alert posted today, the PostgreSQL Global Development Group (PGDG) released security updates for the latest releases of the popular Postgres database system.
The updates fix five vulnerabilities in the latest versions of Postgres, including version 8.4.x and above. The most serious of the flaws allows an unauthenticated attacker to write data to any accessible file on your Postgres server, including critical database files. The Postgres folks call this a Denial of Service (DoS) attack, but I think it’s a bit worse than that, since it can also allow attackers to corrupt your database files. Furthermore, if an attacker can obtain a valid login to your server, even as an underprivileged user, he could also exploit this flaw to elevate his privileges to a superuser, and execute arbitrary code. That said, the attacker can only pull this off if you allow external access to the Postgres ports (typically TCP 5432).
This flaw was first discovered externally, by two Japanese security researchers. They found that a particular cloud service called Heroku was especially vulnerable to this issue, since it makes Postgres servers publicly accessible online. According to their blog post, Postgres offered the fix to Heroku a few days before today’s public release, which illustrates the seriousness of this issue. In short, if you manage a PostgreSQL server, we recommend you apply the proper updates as soon as possible. You can learn more about this vulnerability and the update in PostGres’ FAQ about the issue.
As an aside, inquisitive users may realize that we use Postgres in a number of our products, including our WSM Logging and Reporting servers, and our XCS appliances. I can happily report our implementations of Postgres are not vulnerable to these issues, because we don’t use the vulnerable versions, nor do we expose the Postgres service in a way that an attacker could leverage this flaw. — Corey Nachreiner, CISSP (@SecAdept)