Merge pull request #4629 from EnterpriseDB/docs/security/security-sec…

…tion-initial-release
EnterpriseDB · Aug 14, 2023 · 528c775 · 528c775
2 parents f72d2fc + 73a9486
commit 528c775
Show file tree

Hide file tree

Showing 9 changed files with 460 additions and 1 deletion.
diff --git a/advocacy_docs/security/advisories/cve.mdx.template b/advocacy_docs/security/advisories/cve.mdx.template
@@ -0,0 +1,63 @@
+---
+title: CVE Title
+navTitle: CVE ID as CVE-Year-Number
+---
+
+First Published: YYYY/MM/DD (ISO8601)
+
+Last Updated: YYYY/MM/DD
+
+## Summary 
+
+SUMMARY
+
+## Vulnerability details
+
+CVE-ID:  LINK TO ID
+
+CVSS Base Score: SCORE
+
+CVSS Temporal Score: TEMPORAL SCORE
+
+CVSS Environmental Score: ENVIRONMENTAL SCORE
+
+CVSS Vector: VECTOR
+
+## Affected products and versions
+
+* LIST OF AFFECTED PRODUCTS
+
+## Remediation/fixes
+
+| Product | VRMF | Remediation/First Fix |
+|---------|------|-----------------------|
+| PRODUCT | VERSION | REMEDIATION |
+
+!!! Note Update
+OPTIONAL UPDATE NOTE
+!!!
+
+## References
+
+* [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1)
+* LINKS TO REFERENCES
+
+
+## Related Information
+
+* [EnterpriseDB](https://www.enterprisedb.com/)
+* LINKS TO OTHER RELATED INFORMATION
+* [EDB Blogs Link]()
+
+## Acknowledgement
+
+Source: SOURCE
+
+## Change history
+
+DD mmmm YYYY: ACTION
+
+## Disclaimer
+
+
+This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
diff --git a/advocacy_docs/security/advisories/cve20074639.mdx b/advocacy_docs/security/advisories/cve20074639.mdx
@@ -0,0 +1,57 @@
+---
+title: EDB Advanced Server 8.2 improperly handles debugging function calls
+navTitle: CVE-2007-4639
+---
+
+First Published: 2007/08/31
+
+Last Updated: 2018/10/15
+
+## Summary
+
+EDB Postgres Advanced Server 8.2 (EPAS) does not properly handle certain debugging function calls that occur before a call to `pldbg_create_listener`, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a `pldbg_` function, as demonstrated by (1) `pldbg_get_stack` and (2) `pldbg_abort_target`, which triggers use of an uninitialized pointer.
+
+## Vulnerability details
+
+CVE-ID:  [CVE-2007-4639](https://nvd.nist.gov/vuln/detail/CVE-2007-4639)  
+CVSS Base Score: Undefined  
+CVSS Temporal Score: Undefined  
+CVSS Environmental Score: Undefined  
+CVSS Vector: Undefined
+
+## Affected products and versions
+
+EDB Postgres Advanced Server (EPAS)
+* 8.2
+
+## Remediation/fixes 
+
+| Product | VRMF | Remediation/First Fix |
+|---------|------|-----------------------|
+| EPAS | 8.2 | Upgrade to a supported version of EPAS |
+
+!!! Note Update
+This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.
+!!!
+
+## References
+
+* [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1)
+* [CWE-284 Improper Access Control](http://cwe.mitre.org/data/definitions/284.html)
+
+## Related information
+
+* [EnterpriseDB](https://www.enterprisedb.com/)
+* [EDB Postgres Advanced Server (EPAS)](https://www.enterprisedb.com/products/edb-postgres-advanced-server)
+* [EDB Blogs Link]()
+
+## Acknowledgement
+Source: MITRE
+
+## Change history
+
+26 July 2023: Original Copy Published
+
+## Disclaimer
+
+This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
diff --git a/advocacy_docs/security/advisories/cve201910128.mdx b/advocacy_docs/security/advisories/cve201910128.mdx
@@ -0,0 +1,66 @@
+---
+title: EDB supplied PostgreSQL inherits ACL for installation directory
+navTitle: CVE-2019-10128
+---
+
+First Published: 2021/03/19
+
+Last Updated: 2022/01/01
+
+## Summary
+
+A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code.
+
+## Vulnerability details
+
+CVE-ID:   [CVE-2019-10128](https://nvd.nist.gov/vuln/detail/CVE-2019-10128)  
+CVSS Base Score: 7.8  
+CVSS Temporal Score: Undefined  
+CVSS Environmental Score: Undefined  
+CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+
+## Affected products and versions
+
+PostgreSQL
+
+* All versions up to 9.4.21
+* 9.5.0 to 9.5.16
+* 9.6.0 to 9.6.12
+* 10.0 to 10.7
+* 11.0 to 11.2
+
+## Remediation/fixes
+
+| Product | VRMF | Remediation/First Fix |
+|---------|------|-----------------------|
+| Postgresql | Up to 9.4.21 | Update to latest version (at least 9.4.22) |
+| Postgresql | 9.5.0 to 9.5.16 | Update to latest version (at least 9.5.17) |
+| Postgresql | 9.6.0 to 9.6.12 | Update to latest version (at least 9.6.13) |
+| Postgresql | 10.0 to 10.7 | Update to latest version (at least 10.8) |
+| Postgresql | 11.0 to 11.2 | Update to latest version (at least 11.3) |
+
+!!! Note Update
+No updates at this time
+!!!
+
+## References
+
+* [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1)
+* [CWE-284 Improper Access Control](http://cwe.mitre.org/data/definitions/284.html)
+
+## Related Information
+
+* [EnterpriseDB](https://www.enterprisedb.com/)
+* [Postgresql](https://www.postgresql.org)
+* [EDB Blogs Link]()
+
+## Acknowledgement
+Source: Red Hat Inc
+
+## Change history
+
+26 July 2023: Original Copy Published
+
+## Disclaimer
+
+This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
diff --git a/advocacy_docs/security/advisories/cve202331043.mdx b/advocacy_docs/security/advisories/cve202331043.mdx
@@ -0,0 +1,68 @@
+---
+title: EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14.6.0
+navTitle: CVE-2023-31043
+---
+
+First Published: 2023/04/23
+
+Last Updated: 2023/05/02
+
+## Summary
+
+EDB Postgres Advanced Server (EPAS) versions before 14.6.0 log unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0.
+
+## Vulnerability details
+
+CVE-ID:  [CVE-2023-31043](https://nvd.nist.gov/vuln/detail/CVE-2023-31043)  
+CVSS Base Score: 7.5  
+CVSS Temporal Score: Undefined  
+CVSS Environmental Score: Undefined  
+CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+
+## Affected products and versions
+
+EDB Postgres Advanced Server (EPAS)
+
+* All versions up to 10.23.32
+* 11.1.7 to 11.18.28
+* 12.1.2 to 12.13.16
+* 13.1.4 to 13.9.12
+* 14.1.0 to 14.5.0
+* 14.1.0 to 14.5.0
+
+## Remediation/fixes
+
+| Product | VRMF | Remediation/First Fix |
+|---------|------|-----------------------|
+| EPAS | All versions <br/>up to 10.23.32 | Update to latest supported version <br/> (at least [10.23.33](https://www.enterprisedb.com/docs/epas/10/epas_rel_notes/epas10_23_33_rel_notes/)) |
+| EPAS | 11.1.7 to <br/>11.18.28 | Update to latest supported version <br/> (at least [11.18.29](https://www.enterprisedb.com/docs/epas/11/epas_rel_notes/epas11_18_29_rel_notes/)) |
+| EPAS | 12.1.2 to <br/>12.13.16 | Update to latest supported version <br/> (at least [12.13.17](https://www.enterprisedb.com/docs/epas/12/epas_rel_notes/epas12_13_17_rel_notes/)) |
+| EPAS | 13.1.4 to <br/>13.9.12 | Update to latest supported version <br/> (at least [13.9.13](https://www.enterprisedb.com/docs/epas/13/epas_rel_notes/epas13_9_13_rel_notes/)) |
+| EPAS | 14.1.0 to <br/>14.5.0 | Update to latest supported version <br/> (at least [14.6.0](https://www.enterprisedb.com/docs/epas/14/epas_rel_notes/epas14_6_0_notes/))|
+
+!!! Note Update
+No Updates at this time
+!!!
+
+## References
+
+* [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1)
+* [CWE-312 Cleartext Storage of Sensitive Information](http://cwe.mitre.org/data/definitions/312.html)
+
+
+## Related information
+
+* [EnterpriseDB](https://www.enterprisedb.com/)
+* [EDB Postgres Advanced Server (EPAS)](https://www.enterprisedb.com/products/edb-postgres-advanced-server)
+* [EDB Blogs Link]()
+
+## Acknowledgement
+Source: Mitre
+
+## Change history
+
+26 July 2023: Original Copy Published
+
+## Disclaimer
+
+This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
diff --git a/advocacy_docs/security/advisories/index.mdx b/advocacy_docs/security/advisories/index.mdx
@@ -0,0 +1,40 @@
+---
+title: EDB Security Advisories
+navTitle: Advisories
+iconName: Security
+hideKBLink: true
+hideToC: true
+---
+
+## Advisories
+
+<table class="table table-bordered overflow-hidden"><tr><td>
+<details><summary><h3 style="display:inline"><a href="cve202331043">CVE-2023-31043</a></h3><h4>EDB Postgres Advanced Server 10.23.32 to 14.5.0</h4>
+Updated: 2023/05/02<br/>
+EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14.6.0
+<br/></summary>
+<hr/>
+<em>Summary:</em> EDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0.
+<a href="cve202331043">Read More...</a>
+</details></td></tr></table>
+
+<table class="table table-bordered overflow-hidden"><tr><td>
+<details><summary><h3 style="display:inline"><a href="cve201910128">CVE-2019-10128</a></h3><h4>PostgreSQL</h4>
+Updated: 2022/01/01<br/>
+EDB supplied PostgreSQL inherits ACL for installation directory
+<br/></summary>
+<hr/>
+<em>Summary:</em> A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows installer for EDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code.
+<h5><a href="cve201910128">Read More...</a></h5>
+</details></td></tr></table>
+
+<table class="table table-bordered overflow-hidden"><tr><td>
+<details><summary><h3 style="display:inline"><a href="cve20074639">CVE-2007-4639</a></h3><h4>EDB Postgres Advanced Server version 8.2</h4>
+Updated: 2018/10/15<br/>
+EDB Advanced Server 8.2 improperly handles debugging function calls
+<br/></summary>
+<hr/>
+<em>Summary:</em> EDB Postgres Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to <code>pldbg_create_listener</code>, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a <code>pldbg_</code> function, as demonstrated by (1) <code>pldbg_get_stack</code> and (2) <code>pldbg_abort_target</code>, which triggers use of an uninitialized pointer.
+<h5><a href="cve20074639">Read More...</a></h5>
+</details></td></tr></table>
+
diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx
@@ -0,0 +1,55 @@
+---
+title: EDB Security
+navTitle: EDB Security
+hideToC: true
+directoryDefaults:
+  iconName: Security
+  indexCards: none
+  hideKBLink: true
+navigation:
+  - vulnerability-disclosure-policy
+  - advisories
+---
+
+EDB is committed to a security first approach, from the products we build and the platforms we operate, to the services we provide our customers. Transparency is a core principle for the program and part of this effort includes welcoming incoming reports so that we can address concerns surfaced by our customers or security researchers. You’ll also find it in our advisories, which detail issues found and the required fixes or mitigations needed to keep your data and databases safe.
+
+## Policies
+
+* <h3><a href="vulnerability-disclosure-policy">EDB Vulnerability Disclosure Policy</a></h3>
+This policy outlines how EnterpriseDB handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EDB.
+
+## Advisories
+
+
+<table class="table table-bordered overflow-auto"><tr><td>
+<details><summary><h3 style="display:inline"><a href="advisories/cve202331043">CVE-2023-31043</a></h3><h4>EDB Postgres Advanced Server 10.23.32 to 14.5.0</h4>
+Updated: 2023/05/02<br/>
+EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14.6.0
+<br/></summary>
+<hr/>
+<em>Summary:</em> EDB Postgres Advanced Server (EPAS) versions before 14.6.0 log unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0.
+<a href="advisories/cve202331043">Read More...</a>
+</details></td></tr></table>
+
+<table class="table table-bordered overflow-auto"><tr><td>
+<details><summary><h3 style="display:inline"><a href="advisories/cve201910128">CVE-2019-10128</a></h3><h4>PostgreSQL</h4>
+Updated: 2022/01/01<br/>
+EDB supplied PostgreSQL inherits ACL for installation directory
+<br/></summary>
+<hr/>
+<em>Summary:</em> A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows installer for EDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code.
+<h5><a href="advisories/cve201910128">Read More...</a></h5>
+</details></td></tr></table>
+
+<table class="table table-bordered overflow-auto"><tr><td>
+<details><summary><h3 style="display:inline"><a href="advisories/cve20074639">CVE-2007-4639</a></h3><h4>EDB Postgres Advanced Server version 8.2</h4>
+Updated: 2018/10/15<br/>
+EDB Advanced Server 8.2 improperly handles debugging function calls
+<br/></summary>
+<hr/>
+<em>Summary:</em> EDB Postgres Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to <code>pldbg_create_listener</code>, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a <code>pldbg_</code> function, as demonstrated by (1) <code>pldbg_get_stack</code> and (2) <code>pldbg_abort_target</code>, which triggers use of an uninitialized pointer.
+<h5><a href="advisories/cve20074639">Read More...</a></h5>
+</details></td></tr></table>
+
+
+