The PostgreSQL Global Development Group has published an update to all supported versions of the database system, including 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22. The update addresses three vulnerabilities and more than 50 bugs reported in the last three months.
“PostgreSQL, often simply Postgres, is an object-relational database management system (ORDBMS) with an emphasis on extensibility and standards compliance. As a database server, its primary functions are to store data securely and return that data in response to requests from other software applications.”
Three security vulnerabilities have been patched by the developers:
– CVE-2017-7546: Empty password accepted in some authentication methods.
– CVE-2017-7547: The “pg_user_mappings” catalogue view discloses passwords to users lacking server privileges.
– CVE-2017-7548: lo_put() function ignores ACLs.
The first vulnerability is considered the most dangerous of the vulnerabilities patched with the latest security updates, with a class “A” rating, which means that it can be exploited for privilege escalation without needing prior login.
The second issue could result in passwords being leaked to unauthorized users.
“A user had access to see the options in pg_user_mappings even if the user did not have the USAGE permission on the associated foreign server. This meant that a user could see details such as a password that might have been set by the server administrator rather than the user.”
The third vulnerability can be exploited by any user to modify data in a large object. The lo_put() function should need the same permissions as lowrite(), but there was a missing permission check which would allow any user to change the data in a large object. To fix this, the lo_put() function was modified to check the UPDATE privileges on the target object.