EDB Security Advisory: Multiple PostgreSQL and EPAS Vulnerabilities

August 21, 2023

The August quarterly maintenance releases for community PostgreSQL and EnterpriseDB Advanced Server bring important updates that require action for environments running affected versions. The PostgreSQL Global Development Group has released two CVEs to the public and fixes as part of the August maintenance releases (See CVE links for impacted versions). 

CVE-2023-39417 - Extension script @substitutions@ within quoting allow SQL injection

  • IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

 CVE-2023-39418 - MERGE fails to enforce UPDATE or SELECT row security policies

  • A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

EDB has also identified 8 new vulnerabilities impacting all prior versions of EnterpriseDB Advanced Server with remediations provided as part of the August maintenance release. All 8 CVEs are related in nature and have been submitted to the national vulnerability database and are pending IDs at this time. More information can be found on the EDB Security site. 

EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path

  • All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0 and 15.4.0 contain packages, standalone packages and functions that run SECURITY DEFINER but are inadequately secured against search_path attacks.

EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser

  • All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0 and 15.4.0 contain the function _dbms_aq_move_to_exception_queue which may be used to elevate a user’s privileges to superuser. This function accepts the OID of a table, then accesses that table as the superuser using SELECT and DML commands.

EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass

  • All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0 and 15.4.0 may allow an authenticated user to bypass authorization requirements and access underlying implementation functions. When a superuser has configured file locations using CREATE DIRECTORY, these functions allow users to take a wide range of actions, including read, write, copy, rename, and delete.

EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission

  • All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0 and 15.4.0 permit an authenticated user to use DBMS_PROFILER to remove all accumulated profiling data on a system-wide basis, regardless of that user’s permissions.

EDB Postgres Advanced Server (EPAS) read permission bypass on large objects

  • All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0 and 15.4.0, using UTL_ENCODE allows an authenticated user to read any large object, regardless of that users permissions.

EDB Postgres Advanced Server (EPAS) authenticated users may fetch any URL

  • All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0 and 15.4.0 contain the functions get_url_as_text and get_url_as_bytea. These functions are publicly executable, thus permitting an authenticated user to read any file from the local filesystem or remote system regardless of that user's permissions.

EDB Postgres Advanced Server (EPAS) permissions bypass via accesshistory()

  • All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0 and 15.4.0 allow an authenticated user to to obtain information about whether certain files exist on disk, what errors if any occur when attempting to read them, and some limited information about their contents regardless of permissions. This can occur when a superuser has configured one or more directories for filesystem access via CREATE DIRECTORY and adopted certain non-default settings for log_line_prefix and log_connections.

 EDB Postgres Advanced Server (EPAS) permission bypass for materialized views

  • All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0 and 15.4.0 using DBMS_MVIEW allows an authenticated user to refresh any materialized view, regardless of that user’s permissions.

 EDB encourages PostgreSQL community and EPAS users to plan and patch systems immediately to the latest August release. EPAS customers are required to run an associated patching tool made available with the release. Additional instruction can be found within the Support Portal knowledge base and as always, EDB is here to help customers. If you require further information or have a question, please reach out to Support Services for assistance. You can reach us directly on the Support Portal or by email at techsupport@enterprisedb.com.

Advisory Frequently Asked Questions

1. Can I fix these vulnerabilities without updating to a new minor release of EPAS?

Unfortunately, this is not possible. edb_sqlpatch is a new tool which is only available beginning in the releases which contain fixes for these vulnerabilities. Furthermore, one of these vulnerabilities cannot be patched unless the running EPAS binaries are from a fixed version. Therefore, it is necessary to install the fixed packages on the OS level, restart the database, and then run edb_sqlpatch.

2. Do I need to restart the database server to apply these fixes?

edb_sqlpatch itself will not restart the database server or disrupt existing connections to the server. However, you must update to a fixed minor release before running edb_sqlpatch, which, as with every minor release, does require a server restart.

3. Am I still vulnerable if I run initdb with the –no-redwood-compat option?

If a database cluster was created using –no-redwood-compat option, the majority of the fixes are not required. However, some vulnerabilities still exist and some fixes are still needed. edb_sqlpatch will automatically take the appropriate actions for your database cluster, so there is no difference in procedure based on whether –no-redwood-compat was used.

4. How can I get more information? 

You can reach us directly on the Support Portal or by email at techsupport@enterprisedb.com. For more information about EDB Vulnerability Disclosure policy click here

 

Share this