From f319247740b013e1ef6e978d19dc7b2f4bcfdf14 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Thu, 27 Jul 2023 15:07:24 +0100 Subject: [PATCH 01/18] Prototype Sec content presentation Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/index.mdx | 19 ++++ .../security/vulnerability-policy.mdx | 105 ++++++++++++++++++ src/components/footer.js | 4 + src/templates/learn-doc.js | 2 +- 4 files changed, 129 insertions(+), 1 deletion(-) create mode 100644 advocacy_docs/security/index.mdx create mode 100644 advocacy_docs/security/vulnerability-policy.mdx diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx new file mode 100644 index 00000000000..2e92c5c8ece --- /dev/null +++ b/advocacy_docs/security/index.mdx @@ -0,0 +1,19 @@ +--- +title: EDB Security +navTitle: EDB Security +iconName: Security +hideKBLink: true +--- + +We are committed to a security first approach to everything we do at [EnterpriseDB](https://www.enterprisedb.com/). Here are the current notifications and policies. + +## Notifications + +* No current notifications. + +## Policies + +Below are the current notification policies in operation: + +* [EDB Vulnerability Disclosure Policy](vulnerability-policy) + diff --git a/advocacy_docs/security/vulnerability-policy.mdx b/advocacy_docs/security/vulnerability-policy.mdx new file mode 100644 index 00000000000..9f794bcd71a --- /dev/null +++ b/advocacy_docs/security/vulnerability-policy.mdx @@ -0,0 +1,105 @@ +--- +title: EDB Vulnerability Disclosure Policy +navTitle: Vulnerability Disclosure +iconName: Security +hideKBLink: true +--- + +We are committed to a security first approach to everything we do at [EnterpriseDB](https://www.enterprisedb.com/). + +## Introduction + +This policy outlines how [EnterpriseDB](https://www.enterprisedb.com/) handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EnterpriseDB. + + +## Audience + +This policy outlines the procedure for external security researchers, customers, partners, and the wider community to report potential security vulnerabilities. If you believe you have discovered a potential security vulnerability impacting EnterpriseDB, please follow our reporting process set forth below. + + +## Reporting Vulnerabilities + +If you have identified a potential security vulnerability, please notify us at [security@enterprisedb.com](mailto:security@enterprisedb.com). + +The following should be included in your message: + +* **Description** - detailed information about the nature of the vulnerability +* **Proof of Concept** - including steps to reproduce the issue, uncompiled source code, and/or screen shots +* **Impact** - the potential impact, and any relevant technical details. +* Remediation recommendations +* References if available + +If, during the course of your research, you suspect you have encountered sensitive information, immediately cease all activities and contact us at [security@enterprisedb.com](mailto:security@enterprisedb.com). + + +## Our Commitments + +When a vulnerability report is received, we commit to: + +* Acknowledging receipt of your vulnerability report in a timely manner. +* Validating the reported vulnerability. +* Prioritizing and resolving validated vulnerabilities, communicating progress and mitigation actions as appropriate. +* Notifying you when the vulnerability is resolved, where possible. + + +## Safe Harbor + +We appreciate the security community’s efforts to help us identify and securely remediate any vulnerabilities that may impact EnterpriseDB or our customers. When you investigate and report vulnerabilities under this policy, we grant you a “safe harbor,” and will not pursue claims against you for any lawful conduct. + + +## Confidentiality + +Please do not share information about the vulnerability with others until we've had reasonable time to address it. If you've discovered a vulnerability, please do not disclose it publicly without our consent. + + +## Rewards + +While we don't have a formal bug bounty program, we recognize and appreciate the valuable role that security researchers play in the discovery and mitigation of vulnerabilities. EnterpriseDB may, at its own discretion, provide rewards for the disclosure of previously unknown vulnerabilities, depending on their severity and impact. + + +## Disclaimer + +While we strive to acknowledge, triage and respond to all reports as quickly as possible, this policy does not constitute a binding agreement. + + +## Out of Scope + +The following types of attacks are out of scope and are not eligible for a reward or covered under safe harbor: + +* Brute force attacks such as credential stuffing, dictionary attacks, password spraying and any use of botnets (crawling our sites and services is okay) +* Denial of service attacks such as distributed denial of service, advanced persistent denial of service and certain types of application layer attacks +* Information disclosure that only contains version information unless that information is included in a working proof of concept +* Missing best practices in regards to header configurations, SPF/DKIM/DMARC records and SSL/TLS configurations +* Cross-Site Request Forgery (CSRF) on unauthenticated forms, or forms with no sensitive actions +* Clickjacking on pages with no sensitive actions +* Vulnerabilities that only affect users of outdated or unpatched software or services + + +Thank you for helping to keep [EnterpriseDB](https://www.enterprisedb.com/) and our customers safe! + +By submitting a vulnerability, you acknowledge that you have read and agreed to this policy. + +Please note that this policy may be updated from time to time. Please refer to the latest version before reporting a vulnerability. + + +### Change Log + + + + + + + + + + + + +
Date + Description + Version +
July 20th 2023 + Document creation + 1.0 +
+ diff --git a/src/components/footer.js b/src/components/footer.js index 892501692ff..c020ff322fb 100644 --- a/src/components/footer.js +++ b/src/components/footer.js @@ -36,6 +36,10 @@ const Footer = ({ timestamp, githubFileLink }) => ( GDPR · + + Security + + . { return ( - + Date: Thu, 27 Jul 2023 16:15:15 +0100 Subject: [PATCH 02/18] Sec Poc 2 Try 2 Electric Boogaloo Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/index.mdx | 1 + advocacy_docs/security/vulnerability-policy.mdx | 1 + 2 files changed, 2 insertions(+) diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index 2e92c5c8ece..8e7ab40b90b 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -17,3 +17,4 @@ Below are the current notification policies in operation: * [EDB Vulnerability Disclosure Policy](vulnerability-policy) + diff --git a/advocacy_docs/security/vulnerability-policy.mdx b/advocacy_docs/security/vulnerability-policy.mdx index 9f794bcd71a..ccc4b2f1814 100644 --- a/advocacy_docs/security/vulnerability-policy.mdx +++ b/advocacy_docs/security/vulnerability-policy.mdx @@ -7,6 +7,7 @@ hideKBLink: true We are committed to a security first approach to everything we do at [EnterpriseDB](https://www.enterprisedb.com/). + ## Introduction This policy outlines how [EnterpriseDB](https://www.enterprisedb.com/) handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EnterpriseDB. From 92d246d01a2baa1a39d1a796a2b0004ebd3186e2 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Thu, 27 Jul 2023 18:37:48 +0100 Subject: [PATCH 03/18] Added one notification Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/index.mdx | 4 +- .../security/notifications/cve20074639.mdx | 57 +++++++++++++++++++ ...dx => vulnerability-disclosure-policy.mdx} | 0 3 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 advocacy_docs/security/notifications/cve20074639.mdx rename advocacy_docs/security/{vulnerability-policy.mdx => vulnerability-disclosure-policy.mdx} (100%) diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index 8e7ab40b90b..0eba3d119b6 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -9,12 +9,12 @@ We are committed to a security first approach to everything we do at [Enterprise ## Notifications -* No current notifications. +* [**CVE-2007-4639**](notifications/cve20074639): EnterpriseDB Postgres Advanced Server version 8.2. ## Policies Below are the current notification policies in operation: -* [EDB Vulnerability Disclosure Policy](vulnerability-policy) +* [EDB Vulnerability Disclosure Policy](vulnerability-disclosure-policy) diff --git a/advocacy_docs/security/notifications/cve20074639.mdx b/advocacy_docs/security/notifications/cve20074639.mdx new file mode 100644 index 00000000000..a2cc0fc7e40 --- /dev/null +++ b/advocacy_docs/security/notifications/cve20074639.mdx @@ -0,0 +1,57 @@ +--- +title: EnterpriseDB Postgres Advanced Server version 8.2 is affected by an unscored vulnerability +navTitle: CVE-2007-4639 +--- + +First Published: 08/31/2007 + +Last Updated: 10/15/2018 + +## Summary: + +EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to `pldbg_create_listener`, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a `pldbg_` function, as demonstrated by (1) `pldbg_get_stack` and (2) `pldbg_abort_target`, which triggers use of an uninitialized pointer. + +## Vulnerability Details: +CVE-ID: [CVE-2007-4639](https://nvd.nist.gov/vuln/detail/CVE-2007-4639) +CVSS Base Score: Undefined +CVSS Temporal Score: Undefined +CVSS Environmental Score: Undefined +CVSS Vector: Undefined + +## Affected Products and Versions + +* EnterpriseDB Postgres Advanced Server (EPAS) +8.2 + +## Remediation/Fixes: + +| Product | VRMF | Remediation/First Fix | +|---------|------|-----------------------| +| EPAS | 8.2 | Upgrade to a supported version of EPAS | + +!!! Note Update +This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided. +!!! + +## References: + +* [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1) +* [CWE-284 Improper Access Control](http://cwe.mitre.org/data/definitions/284.html) + +## Related Information: + +* [EnterpriseDB](https://www.enterprisedb.com/) +* [EDB Postgres Advanced Server (EPAS)](https://www.enterprisedb.com/products/edb-postgres-advanced-server) +* [EDB Blogs Link]() +* [EDB Security Trust Center Link (or wherever the advisory is published)]() + +## Acknowledgement: +Source: MITRE + +## Change History: + +26 July 2023: Original Copy Published + +## Disclaimer: + +Legal can put any disclaimer they would like here diff --git a/advocacy_docs/security/vulnerability-policy.mdx b/advocacy_docs/security/vulnerability-disclosure-policy.mdx similarity index 100% rename from advocacy_docs/security/vulnerability-policy.mdx rename to advocacy_docs/security/vulnerability-disclosure-policy.mdx From db47cabdac97fe85efbd1116f4f4d29049febae2 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Thu, 27 Jul 2023 18:47:56 +0100 Subject: [PATCH 04/18] Fix line formatting Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/notifications/cve20074639.mdx | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/advocacy_docs/security/notifications/cve20074639.mdx b/advocacy_docs/security/notifications/cve20074639.mdx index a2cc0fc7e40..ad55a177151 100644 --- a/advocacy_docs/security/notifications/cve20074639.mdx +++ b/advocacy_docs/security/notifications/cve20074639.mdx @@ -12,10 +12,15 @@ Last Updated: 10/15/2018 EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to `pldbg_create_listener`, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a `pldbg_` function, as demonstrated by (1) `pldbg_get_stack` and (2) `pldbg_abort_target`, which triggers use of an uninitialized pointer. ## Vulnerability Details: + CVE-ID: [CVE-2007-4639](https://nvd.nist.gov/vuln/detail/CVE-2007-4639) + CVSS Base Score: Undefined + CVSS Temporal Score: Undefined + CVSS Environmental Score: Undefined + CVSS Vector: Undefined ## Affected Products and Versions From caf5210ce7b51aca71d26e66d9e563293d59e171 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Fri, 28 Jul 2023 15:50:06 +0100 Subject: [PATCH 05/18] Updated email address for disclosures Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/vulnerability-disclosure-policy.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advocacy_docs/security/vulnerability-disclosure-policy.mdx b/advocacy_docs/security/vulnerability-disclosure-policy.mdx index ccc4b2f1814..72252026519 100644 --- a/advocacy_docs/security/vulnerability-disclosure-policy.mdx +++ b/advocacy_docs/security/vulnerability-disclosure-policy.mdx @@ -20,7 +20,7 @@ This policy outlines the procedure for external security researchers, customers, ## Reporting Vulnerabilities -If you have identified a potential security vulnerability, please notify us at [security@enterprisedb.com](mailto:security@enterprisedb.com). +If you have identified a potential security vulnerability, please notify us at [disclosures@enterprisedb.com](mailto:disclosures@enterprisedb.com). The following should be included in your message: @@ -50,7 +50,7 @@ We appreciate the security community’s efforts to help us identify and securel ## Confidentiality -Please do not share information about the vulnerability with others until we've had reasonable time to address it. If you've discovered a vulnerability, please do not disclose it publicly without our consent. +Please do not share information about the vulnerability with others until we have had reasonable time to address it. If you have discovered a vulnerability, please do not disclose it publicly without our consent. ## Rewards From 773184e8868b19706834b644dfaba79fcedfd761 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Tue, 1 Aug 2023 16:16:26 +0100 Subject: [PATCH 06/18] Updated content for preview Signed-off-by: Dj Walker-Morgan --- .../security/advisories/cve.mdx.template | 62 ++++++++++++++++ .../cve20074639.mdx | 0 .../security/advisories/cve201910128.mdx | 65 +++++++++++++++++ .../security/advisories/cve202331043.mdx | 71 +++++++++++++++++++ advocacy_docs/security/index.mdx | 13 ++-- 5 files changed, 207 insertions(+), 4 deletions(-) create mode 100644 advocacy_docs/security/advisories/cve.mdx.template rename advocacy_docs/security/{notifications => advisories}/cve20074639.mdx (100%) create mode 100644 advocacy_docs/security/advisories/cve201910128.mdx create mode 100644 advocacy_docs/security/advisories/cve202331043.mdx diff --git a/advocacy_docs/security/advisories/cve.mdx.template b/advocacy_docs/security/advisories/cve.mdx.template new file mode 100644 index 00000000000..35228c83f26 --- /dev/null +++ b/advocacy_docs/security/advisories/cve.mdx.template @@ -0,0 +1,62 @@ +--- +title: CVE Title +navTitle: CVE ID as CVE-Year-Number +--- + +First Published: MM/DD/YYYY + +Last Updated: MM/DD/YYYY + +## Summary: + +SUMMARY + +## Vulnerability Details: + +CVE-ID: LINK TO ID + +CVSS Base Score: SCORE + +CVSS Temporal Score: TEMPORAL SCORE + +CVSS Environmental Score: ENVIRONMENTAL SCORE + +CVSS Vector: VECTOR + +## Affected Products and Versions + +* LIST OF AFFECTED PRODUCTS + +## Remediation/Fixes: + +| Product | VRMF | Remediation/First Fix | +|---------|------|-----------------------| +| PRODUCT | VERSION | REMEDIATION | + +!!! Note Update +OPTIONAL UPDATE NOTE +!!! + +## References: + +* [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1) +* LINKS TO REFERENCES + + +## Related Information: + +* [EnterpriseDB](https://www.enterprisedb.com/) +* LINKS TO OTHER RELATED INFORMATION +* [EDB Blogs Link]() +* [EDB Security Trust Center Link (or wherever the advisory is published)]() + +## Acknowledgement: +Source: SOURCE + +## Change History: + +DD mmmm YYYY: ACTION + +## Disclaimer: + +Legal can put any disclaimer they would like here diff --git a/advocacy_docs/security/notifications/cve20074639.mdx b/advocacy_docs/security/advisories/cve20074639.mdx similarity index 100% rename from advocacy_docs/security/notifications/cve20074639.mdx rename to advocacy_docs/security/advisories/cve20074639.mdx diff --git a/advocacy_docs/security/advisories/cve201910128.mdx b/advocacy_docs/security/advisories/cve201910128.mdx new file mode 100644 index 00000000000..f9666a68942 --- /dev/null +++ b/advocacy_docs/security/advisories/cve201910128.mdx @@ -0,0 +1,65 @@ +--- +title: Multiple postgresql versions are affected by a high severity vulnerability +navTitle: CVE-2019-10128 +--- + +First Published: 03/19/2021 + +Last Updated: 01/01/2022 + +## Summary: + +A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. + +## Vulnerability Details: + +CVE-ID: [CVE-2019-10128](https://nvd.nist.gov/vuln/detail/CVE-2019-10128) + +CVSS Base Score: 7.8 + +CVSS Temporal Score: Undefined + +CVSS Environmental Score: Undefined + +CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H + +## Affected Products and Versions + +* LIST OF AFFECTED PRODUCTS + +## Remediation/Fixes: + +| Product | VRMF | Remediation/First Fix | +|---------|------|-----------------------| +| Postgresql | Up to 9.4.21 | Update to latest version (at least 9.4.22) | +| Postgresql | 9.5.0 to 9.5.16 | Update to latest version (at least 9.5.17) | +| Postgresql | 9.6.0 to 9.6.12 | Update to latest version (at least 9.6.13) | +| Postgresql | 10.0 to 10.7 | Update to latest version (at least 10.8) | +| Postgresql | 11.0 to 11.2 | Update to latest version (at least 11.3) | + +!!! Note Update +No updates at this time +!!! + +## References: + +* [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1) +* [CWE-284 Improper Access Control](http://cwe.mitre.org/data/definitions/284.html) + +## Related Information: + +* [EnterpriseDB](https://www.enterprisedb.com/) +* [Postgresql](https://www.postgresql.org) +* [EDB Blogs Link]() +* [EDB Security Trust Center Link (or wherever the advisory is published)]() + +## Acknowledgement: +Source: Red Hat Inc + +## Change History: + +26 July 2023: Original Copy Published + +## Disclaimer: + +Legal can put any disclaimer they would like here diff --git a/advocacy_docs/security/advisories/cve202331043.mdx b/advocacy_docs/security/advisories/cve202331043.mdx new file mode 100644 index 00000000000..56a8ea74581 --- /dev/null +++ b/advocacy_docs/security/advisories/cve202331043.mdx @@ -0,0 +1,71 @@ +--- +title: Multiple versions of EnterpriseDB EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability +navTitle: CVE-2023-31043 +--- + +First Published: 04/23/2023 + +Last Updated: 05/02/2023 + +## Summary: + +EnterpriseDB EDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. + +## Vulnerability Details: + +CVE-ID: [CVE-2023-31043](https://nvd.nist.gov/vuln/detail/CVE-2023-31043) + +CVSS Base Score: 7.5 + +CVSS Temporal Score: Undefined + +CVSS Environmental Score: Undefined + +CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N + +## Affected Products and Versions + +EnterpriseDB Postgres Advanced Server (EPAS) +* All versions up to 10.23.32 +* 11.1.7 to 11.18.28 +* 12.1.2 to 12.13.16 +* 13.1.4 to 13.9.12 +* 14.1.0 to 14.6.0 + +## Remediation/Fixes: + +| Product | VRMF | Remediation/First Fix | +|---------|------|-----------------------| +| EPAS | All versions
up to 10.23.32 | Update to latest supported version
(at least [10.23.33](https://www.enterprisedb.com/docs/epas/10/epas_rel_notes/epas10_23_33_rel_notes/) | +| EPAS | 11.1.7 to
11.18.28 | Update to latest supported version
(at least [11.18.29](https://www.enterprisedb.com/docs/epas/11/epas_rel_notes/epas11_18_29_rel_notes/) | +| EPAS | 12.1.2 to
12.13.16 | Update to latest supported version
(at least [12.13.17](https://www.enterprisedb.com/docs/epas/12/epas_rel_notes/epas12_13_17_rel_notes/ ) | +| EPAS | 13.1.4 to
13.9.12 | Update to latest supported version
(at least [13.9.13](https://www.enterprisedb.com/docs/epas/13/epas_rel_notes/epas13_9_13_rel_notes/) | +| EPAS | 14.1.0 to
14.5.0 | Update to latest supported version
(at least [14.6.0](https://www.enterprisedb.com/docs/epas/11/epas_rel_notes/epas14_6_0_notes/) | + +!!! Note Update +No Updates at this time +!!! + +## References: + +* [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1) +* [CWE-312 Cleartext Storage of Sensitive Information](http://cwe.mitre.org/data/definitions/312.html) + + +## Related Information: + +* [EnterpriseDB](https://www.enterprisedb.com/) +* [EDB Postgres Advanced Server (EPAS)](https://www.enterprisedb.com/products/edb-postgres-advanced-server) +* [EDB Blogs Link]() +* [EDB Security Trust Center Link (or wherever the advisory is published)]() + +## Acknowledgement: +Source: Mitre + +## Change History: + +26 July 2023: Original Copy Published + +## Disclaimer: + +Legal can put any disclaimer they would like here diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index 0eba3d119b6..c7b67ce79e4 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -5,11 +5,9 @@ iconName: Security hideKBLink: true --- -We are committed to a security first approach to everything we do at [EnterpriseDB](https://www.enterprisedb.com/). Here are the current notifications and policies. +We are committed to a security first approach to everything we do at [EnterpriseDB](https://www.enterprisedb.com/). Here are the current policies and advisories. -## Notifications - -* [**CVE-2007-4639**](notifications/cve20074639): EnterpriseDB Postgres Advanced Server version 8.2. +This policy outlines how EnterpriseDB handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EnterpriseDB. ## Policies @@ -17,4 +15,11 @@ Below are the current notification policies in operation: * [EDB Vulnerability Disclosure Policy](vulnerability-disclosure-policy) +## Advisories + +* [**CVE-2023-31043**](advisories/cve202331043): EnterpriseDB Postgres Advanced Server 10.23.32 to 14.5.0 +* [**CVE-2019-10128**](advisories/cve201910128): Postgresql +* [**CVE-2007-4639**](advisories/cve20074639): EnterpriseDB Postgres Advanced Server version 8.2. + + From 1eb3bf7ffd72b221dd819574a06fc17c014d3582 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Tue, 1 Aug 2023 16:24:36 +0100 Subject: [PATCH 07/18] Fixed br elements Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/advisories/cve202331043.mdx | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/advocacy_docs/security/advisories/cve202331043.mdx b/advocacy_docs/security/advisories/cve202331043.mdx index 56a8ea74581..83789b77f6d 100644 --- a/advocacy_docs/security/advisories/cve202331043.mdx +++ b/advocacy_docs/security/advisories/cve202331043.mdx @@ -26,6 +26,7 @@ CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ## Affected Products and Versions EnterpriseDB Postgres Advanced Server (EPAS) + * All versions up to 10.23.32 * 11.1.7 to 11.18.28 * 12.1.2 to 12.13.16 @@ -36,11 +37,11 @@ EnterpriseDB Postgres Advanced Server (EPAS) | Product | VRMF | Remediation/First Fix | |---------|------|-----------------------| -| EPAS | All versions
up to 10.23.32 | Update to latest supported version
(at least [10.23.33](https://www.enterprisedb.com/docs/epas/10/epas_rel_notes/epas10_23_33_rel_notes/) | -| EPAS | 11.1.7 to
11.18.28 | Update to latest supported version
(at least [11.18.29](https://www.enterprisedb.com/docs/epas/11/epas_rel_notes/epas11_18_29_rel_notes/) | -| EPAS | 12.1.2 to
12.13.16 | Update to latest supported version
(at least [12.13.17](https://www.enterprisedb.com/docs/epas/12/epas_rel_notes/epas12_13_17_rel_notes/ ) | -| EPAS | 13.1.4 to
13.9.12 | Update to latest supported version
(at least [13.9.13](https://www.enterprisedb.com/docs/epas/13/epas_rel_notes/epas13_9_13_rel_notes/) | -| EPAS | 14.1.0 to
14.5.0 | Update to latest supported version
(at least [14.6.0](https://www.enterprisedb.com/docs/epas/11/epas_rel_notes/epas14_6_0_notes/) | +| EPAS | All versions
up to 10.23.32 | Update to latest supported version
(at least [10.23.33](https://www.enterprisedb.com/docs/epas/10/epas_rel_notes/epas10_23_33_rel_notes/)) | +| EPAS | 11.1.7 to
11.18.28 | Update to latest supported version
(at least [11.18.29](https://www.enterprisedb.com/docs/epas/11/epas_rel_notes/epas11_18_29_rel_notes/)) | +| EPAS | 12.1.2 to
12.13.16 | Update to latest supported version
(at least [12.13.17](https://www.enterprisedb.com/docs/epas/12/epas_rel_notes/epas12_13_17_rel_notes/)) | +| EPAS | 13.1.4 to
13.9.12 | Update to latest supported version
(at least [13.9.13](https://www.enterprisedb.com/docs/epas/13/epas_rel_notes/epas13_9_13_rel_notes/)) | +| EPAS | 14.1.0 to
14.5.0 | Update to latest supported version
(at least [14.6.0](https://www.enterprisedb.com/docs/epas/11/epas_rel_notes/epas14_6_0_notes/) | !!! Note Update No Updates at this time From 4c992ad5e0514a3749a3af8f15bca4ee37f1b7c4 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Tue, 1 Aug 2023 19:36:14 +0100 Subject: [PATCH 08/18] Updated with many fixes Signed-off-by: Dj Walker-Morgan --- .../security/advisories/cve.mdx.template | 19 +++++++------- .../security/advisories/cve20074639.mdx | 22 ++++++++-------- .../security/advisories/cve201910128.mdx | 26 ++++++++++++------- .../security/advisories/cve202331043.mdx | 22 ++++++++-------- advocacy_docs/security/advisories/index.mdx | 14 ++++++++++ advocacy_docs/security/index.mdx | 9 +++++-- .../vulnerability-disclosure-policy.mdx | 2 +- 7 files changed, 70 insertions(+), 44 deletions(-) create mode 100644 advocacy_docs/security/advisories/index.mdx diff --git a/advocacy_docs/security/advisories/cve.mdx.template b/advocacy_docs/security/advisories/cve.mdx.template index 35228c83f26..ff839cb4b39 100644 --- a/advocacy_docs/security/advisories/cve.mdx.template +++ b/advocacy_docs/security/advisories/cve.mdx.template @@ -7,11 +7,11 @@ First Published: MM/DD/YYYY Last Updated: MM/DD/YYYY -## Summary: +## Summary SUMMARY -## Vulnerability Details: +## Vulnerability details CVE-ID: LINK TO ID @@ -23,11 +23,11 @@ CVSS Environmental Score: ENVIRONMENTAL SCORE CVSS Vector: VECTOR -## Affected Products and Versions +## Affected products and versions * LIST OF AFFECTED PRODUCTS -## Remediation/Fixes: +## Remediation/fixes | Product | VRMF | Remediation/First Fix | |---------|------|-----------------------| @@ -37,26 +37,27 @@ CVSS Vector: VECTOR OPTIONAL UPDATE NOTE !!! -## References: +## References * [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1) * LINKS TO REFERENCES -## Related Information: +## Related Information * [EnterpriseDB](https://www.enterprisedb.com/) * LINKS TO OTHER RELATED INFORMATION * [EDB Blogs Link]() * [EDB Security Trust Center Link (or wherever the advisory is published)]() -## Acknowledgement: +## Acknowledgement + Source: SOURCE -## Change History: +## Change history DD mmmm YYYY: ACTION -## Disclaimer: +## Disclaimer Legal can put any disclaimer they would like here diff --git a/advocacy_docs/security/advisories/cve20074639.mdx b/advocacy_docs/security/advisories/cve20074639.mdx index ad55a177151..fc2a3a2f557 100644 --- a/advocacy_docs/security/advisories/cve20074639.mdx +++ b/advocacy_docs/security/advisories/cve20074639.mdx @@ -7,11 +7,11 @@ First Published: 08/31/2007 Last Updated: 10/15/2018 -## Summary: +## Summary EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to `pldbg_create_listener`, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a `pldbg_` function, as demonstrated by (1) `pldbg_get_stack` and (2) `pldbg_abort_target`, which triggers use of an uninitialized pointer. -## Vulnerability Details: +## Vulnerability details CVE-ID: [CVE-2007-4639](https://nvd.nist.gov/vuln/detail/CVE-2007-4639) @@ -23,12 +23,12 @@ CVSS Environmental Score: Undefined CVSS Vector: Undefined -## Affected Products and Versions +## Affected products and versions -* EnterpriseDB Postgres Advanced Server (EPAS) -8.2 +EnterpriseDB Postgres Advanced Server (EPAS) +* 8.2 -## Remediation/Fixes: +## Remediation/fixes | Product | VRMF | Remediation/First Fix | |---------|------|-----------------------| @@ -38,25 +38,25 @@ CVSS Vector: Undefined This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided. !!! -## References: +## References * [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1) * [CWE-284 Improper Access Control](http://cwe.mitre.org/data/definitions/284.html) -## Related Information: +## Related information * [EnterpriseDB](https://www.enterprisedb.com/) * [EDB Postgres Advanced Server (EPAS)](https://www.enterprisedb.com/products/edb-postgres-advanced-server) * [EDB Blogs Link]() * [EDB Security Trust Center Link (or wherever the advisory is published)]() -## Acknowledgement: +## Acknowledgement Source: MITRE -## Change History: +## Change history 26 July 2023: Original Copy Published -## Disclaimer: +## Disclaimer Legal can put any disclaimer they would like here diff --git a/advocacy_docs/security/advisories/cve201910128.mdx b/advocacy_docs/security/advisories/cve201910128.mdx index f9666a68942..3f4fab2b108 100644 --- a/advocacy_docs/security/advisories/cve201910128.mdx +++ b/advocacy_docs/security/advisories/cve201910128.mdx @@ -7,11 +7,11 @@ First Published: 03/19/2021 Last Updated: 01/01/2022 -## Summary: +## Summary A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. -## Vulnerability Details: +## Vulnerability details CVE-ID: [CVE-2019-10128](https://nvd.nist.gov/vuln/detail/CVE-2019-10128) @@ -23,11 +23,17 @@ CVSS Environmental Score: Undefined CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H -## Affected Products and Versions +## Affected products and versions -* LIST OF AFFECTED PRODUCTS +PostgreSQL -## Remediation/Fixes: +* All versions up to 9.4.21 +* 9.5.0 to 9.5.16 +* 9.6.0 to 9.6.12 +* 10.0 to 10.7 +* 11.0 to 11.2 + +## Remediation/fixes | Product | VRMF | Remediation/First Fix | |---------|------|-----------------------| @@ -41,25 +47,25 @@ CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H No updates at this time !!! -## References: +## References * [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1) * [CWE-284 Improper Access Control](http://cwe.mitre.org/data/definitions/284.html) -## Related Information: +## Related Information * [EnterpriseDB](https://www.enterprisedb.com/) * [Postgresql](https://www.postgresql.org) * [EDB Blogs Link]() * [EDB Security Trust Center Link (or wherever the advisory is published)]() -## Acknowledgement: +## Acknowledgement Source: Red Hat Inc -## Change History: +## Change History 26 July 2023: Original Copy Published -## Disclaimer: +## Disclaimer Legal can put any disclaimer they would like here diff --git a/advocacy_docs/security/advisories/cve202331043.mdx b/advocacy_docs/security/advisories/cve202331043.mdx index 83789b77f6d..2d5e0d3a127 100644 --- a/advocacy_docs/security/advisories/cve202331043.mdx +++ b/advocacy_docs/security/advisories/cve202331043.mdx @@ -1,5 +1,5 @@ --- -title: Multiple versions of EnterpriseDB EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability +title: Multiple versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability navTitle: CVE-2023-31043 --- @@ -7,11 +7,11 @@ First Published: 04/23/2023 Last Updated: 05/02/2023 -## Summary: +## Summary -EnterpriseDB EDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. +EnterpriseDB's EDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. -## Vulnerability Details: +## Vulnerability details CVE-ID: [CVE-2023-31043](https://nvd.nist.gov/vuln/detail/CVE-2023-31043) @@ -23,7 +23,7 @@ CVSS Environmental Score: Undefined CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N -## Affected Products and Versions +## Affected products and versions EnterpriseDB Postgres Advanced Server (EPAS) @@ -33,7 +33,7 @@ EnterpriseDB Postgres Advanced Server (EPAS) * 13.1.4 to 13.9.12 * 14.1.0 to 14.6.0 -## Remediation/Fixes: +## Remediation/fixes | Product | VRMF | Remediation/First Fix | |---------|------|-----------------------| @@ -47,26 +47,26 @@ EnterpriseDB Postgres Advanced Server (EPAS) No Updates at this time !!! -## References: +## References * [https://www.first.org/cvss/calculator/3.1](https://www.first.org/cvss/calculator/3.1) * [CWE-312 Cleartext Storage of Sensitive Information](http://cwe.mitre.org/data/definitions/312.html) -## Related Information: +## Related information * [EnterpriseDB](https://www.enterprisedb.com/) * [EDB Postgres Advanced Server (EPAS)](https://www.enterprisedb.com/products/edb-postgres-advanced-server) * [EDB Blogs Link]() * [EDB Security Trust Center Link (or wherever the advisory is published)]() -## Acknowledgement: +## Acknowledgement Source: Mitre -## Change History: +## Change History 26 July 2023: Original Copy Published -## Disclaimer: +## Disclaimer Legal can put any disclaimer they would like here diff --git a/advocacy_docs/security/advisories/index.mdx b/advocacy_docs/security/advisories/index.mdx new file mode 100644 index 00000000000..3e0b51e0685 --- /dev/null +++ b/advocacy_docs/security/advisories/index.mdx @@ -0,0 +1,14 @@ +--- +title: EDB Security Advisories +navTitle: Advisories +iconName: Security +hideKBLink: true +--- + +## Advisories + +* [**CVE-2023-31043**](advisories/cve202331043): EnterpriseDB Postgres Advanced Server 10.23.32 to 14.5.0 +* [**CVE-2019-10128**](advisories/cve201910128): Postgresql +* [**CVE-2007-4639**](advisories/cve20074639): EnterpriseDB Postgres Advanced Server version 8.2. + + diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index c7b67ce79e4..5c3979843f8 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -1,8 +1,13 @@ --- title: EDB Security navTitle: EDB Security -iconName: Security -hideKBLink: true +directoryDefaults: + iconName: Security + indexCards: none + hideKBLink: true +navigation: + - vulnerability-disclosure-policy + - advisories --- We are committed to a security first approach to everything we do at [EnterpriseDB](https://www.enterprisedb.com/). Here are the current policies and advisories. diff --git a/advocacy_docs/security/vulnerability-disclosure-policy.mdx b/advocacy_docs/security/vulnerability-disclosure-policy.mdx index 72252026519..b72779921b0 100644 --- a/advocacy_docs/security/vulnerability-disclosure-policy.mdx +++ b/advocacy_docs/security/vulnerability-disclosure-policy.mdx @@ -1,6 +1,6 @@ --- title: EDB Vulnerability Disclosure Policy -navTitle: Vulnerability Disclosure +navTitle: Vulnerability Disclosure Policy iconName: Security hideKBLink: true --- From 2cf167c933b9ab871ba0ab46a5ff724c0e22e209 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Tue, 1 Aug 2023 20:00:17 +0100 Subject: [PATCH 09/18] Fixed title case Signed-off-by: Dj Walker-Morgan --- .../security/vulnerability-disclosure-policy.mdx | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/advocacy_docs/security/vulnerability-disclosure-policy.mdx b/advocacy_docs/security/vulnerability-disclosure-policy.mdx index b72779921b0..522ffc3e582 100644 --- a/advocacy_docs/security/vulnerability-disclosure-policy.mdx +++ b/advocacy_docs/security/vulnerability-disclosure-policy.mdx @@ -1,6 +1,6 @@ --- -title: EDB Vulnerability Disclosure Policy -navTitle: Vulnerability Disclosure Policy +title: EDB Vulnerability disclosure policy +navTitle: Vulnerability disclosure policy iconName: Security hideKBLink: true --- @@ -18,7 +18,7 @@ This policy outlines how [EnterpriseDB](https://www.enterprisedb.com/) handles d This policy outlines the procedure for external security researchers, customers, partners, and the wider community to report potential security vulnerabilities. If you believe you have discovered a potential security vulnerability impacting EnterpriseDB, please follow our reporting process set forth below. -## Reporting Vulnerabilities +## Reporting vulnerabilities If you have identified a potential security vulnerability, please notify us at [disclosures@enterprisedb.com](mailto:disclosures@enterprisedb.com). @@ -33,7 +33,7 @@ The following should be included in your message: If, during the course of your research, you suspect you have encountered sensitive information, immediately cease all activities and contact us at [security@enterprisedb.com](mailto:security@enterprisedb.com). -## Our Commitments +## Our commitments When a vulnerability report is received, we commit to: @@ -43,7 +43,7 @@ When a vulnerability report is received, we commit to: * Notifying you when the vulnerability is resolved, where possible. -## Safe Harbor +## Safe harbor We appreciate the security community’s efforts to help us identify and securely remediate any vulnerabilities that may impact EnterpriseDB or our customers. When you investigate and report vulnerabilities under this policy, we grant you a “safe harbor,” and will not pursue claims against you for any lawful conduct. @@ -63,7 +63,7 @@ While we don't have a formal bug bounty program, we recognize and appreciate the While we strive to acknowledge, triage and respond to all reports as quickly as possible, this policy does not constitute a binding agreement. -## Out of Scope +## Out of scope The following types of attacks are out of scope and are not eligible for a reward or covered under safe harbor: @@ -83,7 +83,7 @@ By submitting a vulnerability, you acknowledge that you have read and agreed to Please note that this policy may be updated from time to time. Please refer to the latest version before reporting a vulnerability. -### Change Log +### Change history From 403f5b98c6204f28e6e7e5745a49a80cf0794450 Mon Sep 17 00:00:00 2001 From: Josh Heyer <63653723+josh-heyer@users.noreply.github.com> Date: Tue, 1 Aug 2023 12:07:52 -0700 Subject: [PATCH 10/18] Fix link, closing paren, affected version for 14.6.0 --- advocacy_docs/security/advisories/cve202331043.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advocacy_docs/security/advisories/cve202331043.mdx b/advocacy_docs/security/advisories/cve202331043.mdx index 2d5e0d3a127..b1e100cd9d9 100644 --- a/advocacy_docs/security/advisories/cve202331043.mdx +++ b/advocacy_docs/security/advisories/cve202331043.mdx @@ -31,7 +31,7 @@ EnterpriseDB Postgres Advanced Server (EPAS) * 11.1.7 to 11.18.28 * 12.1.2 to 12.13.16 * 13.1.4 to 13.9.12 -* 14.1.0 to 14.6.0 +* 14.1.0 to 14.5.0 ## Remediation/fixes @@ -41,7 +41,7 @@ EnterpriseDB Postgres Advanced Server (EPAS) | EPAS | 11.1.7 to
11.18.28 | Update to latest supported version
(at least [11.18.29](https://www.enterprisedb.com/docs/epas/11/epas_rel_notes/epas11_18_29_rel_notes/)) | | EPAS | 12.1.2 to
12.13.16 | Update to latest supported version
(at least [12.13.17](https://www.enterprisedb.com/docs/epas/12/epas_rel_notes/epas12_13_17_rel_notes/)) | | EPAS | 13.1.4 to
13.9.12 | Update to latest supported version
(at least [13.9.13](https://www.enterprisedb.com/docs/epas/13/epas_rel_notes/epas13_9_13_rel_notes/)) | -| EPAS | 14.1.0 to
14.5.0 | Update to latest supported version
(at least [14.6.0](https://www.enterprisedb.com/docs/epas/11/epas_rel_notes/epas14_6_0_notes/) | +| EPAS | 14.1.0 to
14.5.0 | Update to latest supported version
(at least [14.6.0](https://www.enterprisedb.com/docs/epas/14/epas_rel_notes/epas14_6_0_rel_notes/)) | !!! Note Update No Updates at this time From 7686ee3f127a58fc6476823df3bde3ce6d3e87e4 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Tue, 1 Aug 2023 20:07:29 +0100 Subject: [PATCH 11/18] Links and small fixes Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/advisories/cve201910128.mdx | 4 ++-- advocacy_docs/security/advisories/cve202331043.mdx | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/advocacy_docs/security/advisories/cve201910128.mdx b/advocacy_docs/security/advisories/cve201910128.mdx index 3f4fab2b108..62364a22561 100644 --- a/advocacy_docs/security/advisories/cve201910128.mdx +++ b/advocacy_docs/security/advisories/cve201910128.mdx @@ -1,5 +1,5 @@ --- -title: Multiple postgresql versions are affected by a high severity vulnerability +title: Multiple Postgresql versions are affected by a high severity vulnerability navTitle: CVE-2019-10128 --- @@ -9,7 +9,7 @@ Last Updated: 01/01/2022 ## Summary -A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. +A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. ## Vulnerability details diff --git a/advocacy_docs/security/advisories/cve202331043.mdx b/advocacy_docs/security/advisories/cve202331043.mdx index b1e100cd9d9..6ed4265ae08 100644 --- a/advocacy_docs/security/advisories/cve202331043.mdx +++ b/advocacy_docs/security/advisories/cve202331043.mdx @@ -32,6 +32,7 @@ EnterpriseDB Postgres Advanced Server (EPAS) * 12.1.2 to 12.13.16 * 13.1.4 to 13.9.12 * 14.1.0 to 14.5.0 +* 14.1.0 to 14.5.0 ## Remediation/fixes @@ -41,7 +42,7 @@ EnterpriseDB Postgres Advanced Server (EPAS) | EPAS | 11.1.7 to
11.18.28 | Update to latest supported version
(at least [11.18.29](https://www.enterprisedb.com/docs/epas/11/epas_rel_notes/epas11_18_29_rel_notes/)) | | EPAS | 12.1.2 to
12.13.16 | Update to latest supported version
(at least [12.13.17](https://www.enterprisedb.com/docs/epas/12/epas_rel_notes/epas12_13_17_rel_notes/)) | | EPAS | 13.1.4 to
13.9.12 | Update to latest supported version
(at least [13.9.13](https://www.enterprisedb.com/docs/epas/13/epas_rel_notes/epas13_9_13_rel_notes/)) | -| EPAS | 14.1.0 to
14.5.0 | Update to latest supported version
(at least [14.6.0](https://www.enterprisedb.com/docs/epas/14/epas_rel_notes/epas14_6_0_rel_notes/)) | +| EPAS | 14.1.0 to
14.5.0 | Update to latest supported version
(at least [14.6.0](https://www.enterprisedb.com/docs/epas/14/epas_rel_notes/epas14_6_0_notes/))| !!! Note Update No Updates at this time From 9f4ae7f7b677057c7145a457be985c3a4ffd642c Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Tue, 1 Aug 2023 20:15:28 +0100 Subject: [PATCH 12/18] More smol fixes Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/advisories/cve201910128.mdx | 2 +- advocacy_docs/security/advisories/cve202331043.mdx | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/advocacy_docs/security/advisories/cve201910128.mdx b/advocacy_docs/security/advisories/cve201910128.mdx index 62364a22561..00671634b08 100644 --- a/advocacy_docs/security/advisories/cve201910128.mdx +++ b/advocacy_docs/security/advisories/cve201910128.mdx @@ -62,7 +62,7 @@ No updates at this time ## Acknowledgement Source: Red Hat Inc -## Change History +## Change history 26 July 2023: Original Copy Published diff --git a/advocacy_docs/security/advisories/cve202331043.mdx b/advocacy_docs/security/advisories/cve202331043.mdx index 6ed4265ae08..93935b4a413 100644 --- a/advocacy_docs/security/advisories/cve202331043.mdx +++ b/advocacy_docs/security/advisories/cve202331043.mdx @@ -64,7 +64,7 @@ No Updates at this time ## Acknowledgement Source: Mitre -## Change History +## Change history 26 July 2023: Original Copy Published From 5941bed16488fba945dc83edeece88e0449db30a Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Wed, 2 Aug 2023 11:07:14 +0100 Subject: [PATCH 13/18] Redesign Index page POC Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/advisories/index.mdx | 31 +++++++++++++++++-- advocacy_docs/security/index.mdx | 33 +++++++++++++++++++-- 2 files changed, 58 insertions(+), 6 deletions(-) diff --git a/advocacy_docs/security/advisories/index.mdx b/advocacy_docs/security/advisories/index.mdx index 3e0b51e0685..c2bc9dd3515 100644 --- a/advocacy_docs/security/advisories/index.mdx +++ b/advocacy_docs/security/advisories/index.mdx @@ -3,12 +3,37 @@ title: EDB Security Advisories navTitle: Advisories iconName: Security hideKBLink: true +hideToC: true --- ## Advisories -* [**CVE-2023-31043**](advisories/cve202331043): EnterpriseDB Postgres Advanced Server 10.23.32 to 14.5.0 -* [**CVE-2019-10128**](advisories/cve201910128): Postgresql -* [**CVE-2007-4639**](advisories/cve20074639): EnterpriseDB Postgres Advanced Server version 8.2. +
+

CVE-2023-31043

EDB/EnterpriseDB Postgres Advanced Server 10.23.32 to 14.5.0

+Updated: 05/02/2023
+Multiple versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability +
 +
+Summary: EDB/EnterpriseDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. +Read More... +
+
+

CVE-2019-10128

PostgreSQL

+Updated: 01/01/2022
+Multiple Postgresql versions are affected by a high severity vulnerability +
 +
+Summary: A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. +
Read More...
+
+ +
+

CVE-2007-4639

EnterpriseDB Postgres Advanced Server version 8.2

+Updated: 10/15/2018
+EnterpriseDB Postgres Advanced Server version 8.2 is affected by an unscored vulnerability
 +
+Summary: EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to pldbg_create_listener, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a pldbg_ function, as demonstrated by (1) pldbg_get_stack and (2) pldbg_abort_target, which triggers use of an uninitialized pointer. +
Read More...
+
diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index 5c3979843f8..f9325ef70db 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -1,6 +1,7 @@ --- title: EDB Security navTitle: EDB Security +hideToC: true directoryDefaults: iconName: Security indexCards: none @@ -22,9 +23,35 @@ Below are the current notification policies in operation: ## Advisories -* [**CVE-2023-31043**](advisories/cve202331043): EnterpriseDB Postgres Advanced Server 10.23.32 to 14.5.0 -* [**CVE-2019-10128**](advisories/cve201910128): Postgresql -* [**CVE-2007-4639**](advisories/cve20074639): EnterpriseDB Postgres Advanced Server version 8.2. + +
+

CVE-2023-31043

EDB/EnterpriseDB Postgres Advanced Server 10.23.32 to 14.5.0

+Updated: 05/02/2023
+Multiple versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability +
 +
+Summary: EDB/EnterpriseDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. +Read More... +
+ +
+

CVE-2019-10128

PostgreSQL

+Updated: 01/01/2022
+Multiple Postgresql versions are affected by a high severity vulnerability +
 +
+Summary: A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. +
Read More...
+
+ +
+

CVE-2007-4639

EnterpriseDB Postgres Advanced Server version 8.2

+Updated: 10/15/2018
+EnterpriseDB Postgres Advanced Server version 8.2 is affected by an unscored vulnerability
 +
+Summary: EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to pldbg_create_listener, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a pldbg_ function, as demonstrated by (1) pldbg_get_stack and (2) pldbg_abort_target, which triggers use of an uninitialized pointer. +
Read More...
+
From fbb11c76e92990f87185c3a4485e0fc7b734a034 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Wed, 2 Aug 2023 14:38:00 +0100 Subject: [PATCH 14/18] Updated - less EnterpriseDB more EDB Signed-off-by: Dj Walker-Morgan --- .../security/advisories/cve20074639.mdx | 6 +++--- .../security/advisories/cve202331043.mdx | 6 +++--- advocacy_docs/security/advisories/index.mdx | 14 +++++++------- advocacy_docs/security/index.mdx | 16 ++++++++-------- 4 files changed, 21 insertions(+), 21 deletions(-) diff --git a/advocacy_docs/security/advisories/cve20074639.mdx b/advocacy_docs/security/advisories/cve20074639.mdx index fc2a3a2f557..75bcbf2e1a0 100644 --- a/advocacy_docs/security/advisories/cve20074639.mdx +++ b/advocacy_docs/security/advisories/cve20074639.mdx @@ -1,5 +1,5 @@ --- -title: EnterpriseDB Postgres Advanced Server version 8.2 is affected by an unscored vulnerability +title: EDB Postgres Advanced Server 8.2 is affected by an unscored vulnerability navTitle: CVE-2007-4639 --- @@ -9,7 +9,7 @@ Last Updated: 10/15/2018 ## Summary -EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to `pldbg_create_listener`, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a `pldbg_` function, as demonstrated by (1) `pldbg_get_stack` and (2) `pldbg_abort_target`, which triggers use of an uninitialized pointer. +EDB Postgres Advanced Server 8.2 (EPAS) does not properly handle certain debugging function calls that occur before a call to `pldbg_create_listener`, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a `pldbg_` function, as demonstrated by (1) `pldbg_get_stack` and (2) `pldbg_abort_target`, which triggers use of an uninitialized pointer. ## Vulnerability details @@ -25,7 +25,7 @@ CVSS Vector: Undefined ## Affected products and versions -EnterpriseDB Postgres Advanced Server (EPAS) +EDB Postgres Advanced Server (EPAS) * 8.2 ## Remediation/fixes diff --git a/advocacy_docs/security/advisories/cve202331043.mdx b/advocacy_docs/security/advisories/cve202331043.mdx index 93935b4a413..f4577797704 100644 --- a/advocacy_docs/security/advisories/cve202331043.mdx +++ b/advocacy_docs/security/advisories/cve202331043.mdx @@ -1,5 +1,5 @@ --- -title: Multiple versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability +title: Versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability navTitle: CVE-2023-31043 --- @@ -9,7 +9,7 @@ Last Updated: 05/02/2023 ## Summary -EnterpriseDB's EDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. +EDB Postgres Advanced Server (EPAS) versions before 14.6.0 log unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. ## Vulnerability details @@ -25,7 +25,7 @@ CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ## Affected products and versions -EnterpriseDB Postgres Advanced Server (EPAS) +EDB Postgres Advanced Server (EPAS) * All versions up to 10.23.32 * 11.1.7 to 11.18.28 diff --git a/advocacy_docs/security/advisories/index.mdx b/advocacy_docs/security/advisories/index.mdx index c2bc9dd3515..3c5e2919c6d 100644 --- a/advocacy_docs/security/advisories/index.mdx +++ b/advocacy_docs/security/advisories/index.mdx @@ -9,12 +9,12 @@ hideToC: true ## Advisories
-

CVE-2023-31043

EDB/EnterpriseDB Postgres Advanced Server 10.23.32 to 14.5.0

+

CVE-2023-31043

EDB Postgres Advanced Server 10.23.32 to 14.5.0

Updated: 05/02/2023
-Multiple versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability +Versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability
-Summary: EDB/EnterpriseDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. +Summary: EDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. Read More...
@@ -24,16 +24,16 @@ Updated: 01/01/2022
Multiple Postgresql versions are affected by a high severity vulnerability
-Summary: A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. +Summary: A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows installer for EDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code.
Read More...
-

CVE-2007-4639

EnterpriseDB Postgres Advanced Server version 8.2

+

CVE-2007-4639

EDB Postgres Advanced Server version 8.2

Updated: 10/15/2018
-EnterpriseDB Postgres Advanced Server version 8.2 is affected by an unscored vulnerability
 +EDB Postgres Advanced Server version 8.2 is affected by an unscored vulnerability
-Summary: EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to pldbg_create_listener, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a pldbg_ function, as demonstrated by (1) pldbg_get_stack and (2) pldbg_abort_target, which triggers use of an uninitialized pointer. +Summary: EDB Postgres Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to pldbg_create_listener, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a pldbg_ function, as demonstrated by (1) pldbg_get_stack and (2) pldbg_abort_target, which triggers use of an uninitialized pointer.
Read More...
diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index f9325ef70db..c37278c1410 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -13,7 +13,7 @@ navigation: We are committed to a security first approach to everything we do at [EnterpriseDB](https://www.enterprisedb.com/). Here are the current policies and advisories. -This policy outlines how EnterpriseDB handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EnterpriseDB. +This policy outlines how EnterpriseDB handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EDB. ## Policies @@ -25,12 +25,12 @@ Below are the current notification policies in operation:
-

CVE-2023-31043

EDB/EnterpriseDB Postgres Advanced Server 10.23.32 to 14.5.0

+

CVE-2023-31043

EDB Postgres Advanced Server 10.23.32 to 14.5.0

Updated: 05/02/2023
-Multiple versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability +Versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability
-Summary: EDB/EnterpriseDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. +Summary: EDB Postgres Advanced Server (EPAS) versions before 14.6.0 log unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. Read More...
@@ -40,16 +40,16 @@ Updated: 01/01/2022
Multiple Postgresql versions are affected by a high severity vulnerability
-Summary: A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. +Summary: A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows installer for EDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code.
Read More...
-

CVE-2007-4639

EnterpriseDB Postgres Advanced Server version 8.2

+

CVE-2007-4639

EDB Postgres Advanced Server version 8.2

Updated: 10/15/2018
-EnterpriseDB Postgres Advanced Server version 8.2 is affected by an unscored vulnerability
 +EDB Postgres Advanced Server version 8.2 is affected by an unscored vulnerability
-Summary: EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to pldbg_create_listener, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a pldbg_ function, as demonstrated by (1) pldbg_get_stack and (2) pldbg_abort_target, which triggers use of an uninitialized pointer. +Summary: EDB Postgres Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to pldbg_create_listener, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a pldbg_ function, as demonstrated by (1) pldbg_get_stack and (2) pldbg_abort_target, which triggers use of an uninitialized pointer.
Read More...
From 9bb6b08a59960d46bf5880fe3a50d0babd5056c3 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Thu, 3 Aug 2023 15:58:30 +0100 Subject: [PATCH 15/18] Redid index policies with impact Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/index.mdx | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index c37278c1410..2de844b687a 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -17,9 +17,8 @@ This policy outlines how EnterpriseDB handles disclosures related to suspected v ## Policies -Below are the current notification policies in operation: - -* [EDB Vulnerability Disclosure Policy](vulnerability-disclosure-policy) +*

EDB Vulnerability Disclosure Policy

+This policy outlines how EnterpriseDB handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EDB. ## Advisories From 7c128c36de7dd1c032de824f2783ddcd347df6a1 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Thu, 3 Aug 2023 18:06:06 +0100 Subject: [PATCH 16/18] Title fixes Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/advisories/cve.mdx.template | 1 - advocacy_docs/security/advisories/cve20074639.mdx | 3 +-- advocacy_docs/security/advisories/cve201910128.mdx | 3 +-- advocacy_docs/security/advisories/cve202331043.mdx | 3 +-- advocacy_docs/security/advisories/index.mdx | 7 ++++--- advocacy_docs/security/index.mdx | 7 ++++--- 6 files changed, 11 insertions(+), 13 deletions(-) diff --git a/advocacy_docs/security/advisories/cve.mdx.template b/advocacy_docs/security/advisories/cve.mdx.template index ff839cb4b39..538350e1ce3 100644 --- a/advocacy_docs/security/advisories/cve.mdx.template +++ b/advocacy_docs/security/advisories/cve.mdx.template @@ -48,7 +48,6 @@ OPTIONAL UPDATE NOTE * [EnterpriseDB](https://www.enterprisedb.com/) * LINKS TO OTHER RELATED INFORMATION * [EDB Blogs Link]() -* [EDB Security Trust Center Link (or wherever the advisory is published)]() ## Acknowledgement diff --git a/advocacy_docs/security/advisories/cve20074639.mdx b/advocacy_docs/security/advisories/cve20074639.mdx index 75bcbf2e1a0..7d5673bb090 100644 --- a/advocacy_docs/security/advisories/cve20074639.mdx +++ b/advocacy_docs/security/advisories/cve20074639.mdx @@ -1,5 +1,5 @@ --- -title: EDB Postgres Advanced Server 8.2 is affected by an unscored vulnerability +title: EDB Advanced Server 8.2 improperly handles debugging function calls navTitle: CVE-2007-4639 --- @@ -48,7 +48,6 @@ This vulnerability has been modified since it was last analyzed by the NVD. It i * [EnterpriseDB](https://www.enterprisedb.com/) * [EDB Postgres Advanced Server (EPAS)](https://www.enterprisedb.com/products/edb-postgres-advanced-server) * [EDB Blogs Link]() -* [EDB Security Trust Center Link (or wherever the advisory is published)]() ## Acknowledgement Source: MITRE diff --git a/advocacy_docs/security/advisories/cve201910128.mdx b/advocacy_docs/security/advisories/cve201910128.mdx index 00671634b08..ae81964ac8a 100644 --- a/advocacy_docs/security/advisories/cve201910128.mdx +++ b/advocacy_docs/security/advisories/cve201910128.mdx @@ -1,5 +1,5 @@ --- -title: Multiple Postgresql versions are affected by a high severity vulnerability +title: EDB supplied PostgreSQL inherits ACL for installation directory navTitle: CVE-2019-10128 --- @@ -57,7 +57,6 @@ No updates at this time * [EnterpriseDB](https://www.enterprisedb.com/) * [Postgresql](https://www.postgresql.org) * [EDB Blogs Link]() -* [EDB Security Trust Center Link (or wherever the advisory is published)]() ## Acknowledgement Source: Red Hat Inc diff --git a/advocacy_docs/security/advisories/cve202331043.mdx b/advocacy_docs/security/advisories/cve202331043.mdx index f4577797704..164fb663eca 100644 --- a/advocacy_docs/security/advisories/cve202331043.mdx +++ b/advocacy_docs/security/advisories/cve202331043.mdx @@ -1,5 +1,5 @@ --- -title: Versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability +title: EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14.6.0 navTitle: CVE-2023-31043 --- @@ -59,7 +59,6 @@ No Updates at this time * [EnterpriseDB](https://www.enterprisedb.com/) * [EDB Postgres Advanced Server (EPAS)](https://www.enterprisedb.com/products/edb-postgres-advanced-server) * [EDB Blogs Link]() -* [EDB Security Trust Center Link (or wherever the advisory is published)]() ## Acknowledgement Source: Mitre diff --git a/advocacy_docs/security/advisories/index.mdx b/advocacy_docs/security/advisories/index.mdx index 3c5e2919c6d..15dadbbfa3e 100644 --- a/advocacy_docs/security/advisories/index.mdx +++ b/advocacy_docs/security/advisories/index.mdx @@ -11,7 +11,7 @@ hideToC: true

CVE-2023-31043

EDB Postgres Advanced Server 10.23.32 to 14.5.0

Updated: 05/02/2023
-Versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability +EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14.6.0
Summary: EDB Postgres Advanced Server (EPAS) before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. @@ -21,7 +21,7 @@ Versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity

CVE-2019-10128

PostgreSQL

Updated: 01/01/2022
-Multiple Postgresql versions are affected by a high severity vulnerability +EDB supplied PostgreSQL inherits ACL for installation directory
Summary: A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows installer for EDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. @@ -31,7 +31,8 @@ Multiple Postgresql versions are affected by a high severity vulnerability

CVE-2007-4639

EDB Postgres Advanced Server version 8.2

Updated: 10/15/2018
-EDB Postgres Advanced Server version 8.2 is affected by an unscored vulnerability
 +EDB Advanced Server 8.2 improperly handles debugging function calls +
Summary: EDB Postgres Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to pldbg_create_listener, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a pldbg_ function, as demonstrated by (1) pldbg_get_stack and (2) pldbg_abort_target, which triggers use of an uninitialized pointer.
Read More...
diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index 2de844b687a..3b93e73092e 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -26,7 +26,7 @@ This policy outlines how EnterpriseDB handles disclosures related to suspected v

CVE-2023-31043

EDB Postgres Advanced Server 10.23.32 to 14.5.0

Updated: 05/02/2023
-Versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity vulnerability +EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14.6.0
Summary: EDB Postgres Advanced Server (EPAS) versions before 14.6.0 log unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0. @@ -36,7 +36,7 @@ Versions of EDB Postgres Advanced Server (EPAS) are affected by a high severity

CVE-2019-10128

PostgreSQL

Updated: 01/01/2022
-Multiple Postgresql versions are affected by a high severity vulnerability +EDB supplied PostgreSQL inherits ACL for installation directory
Summary: A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows installer for EDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. @@ -46,7 +46,8 @@ Multiple Postgresql versions are affected by a high severity vulnerability

CVE-2007-4639

EDB Postgres Advanced Server version 8.2

Updated: 10/15/2018
-EDB Postgres Advanced Server version 8.2 is affected by an unscored vulnerability
 +EDB Advanced Server 8.2 improperly handles debugging function calls +
Summary: EDB Postgres Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to pldbg_create_listener, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a pldbg_ function, as demonstrated by (1) pldbg_get_stack and (2) pldbg_abort_target, which triggers use of an uninitialized pointer.
Read More...
From 571eaa98ec8b7cbefae52f165f0579632b1c3dec Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 7 Aug 2023 17:59:15 +0100 Subject: [PATCH 17/18] Updates inc legal Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/advisories/cve20074639.mdx | 14 +++++--------- advocacy_docs/security/advisories/cve201910128.mdx | 14 +++++--------- advocacy_docs/security/advisories/cve202331043.mdx | 14 +++++--------- advocacy_docs/security/index.mdx | 4 +--- 4 files changed, 16 insertions(+), 30 deletions(-) diff --git a/advocacy_docs/security/advisories/cve20074639.mdx b/advocacy_docs/security/advisories/cve20074639.mdx index 7d5673bb090..819cb21c3bf 100644 --- a/advocacy_docs/security/advisories/cve20074639.mdx +++ b/advocacy_docs/security/advisories/cve20074639.mdx @@ -13,14 +13,10 @@ EDB Postgres Advanced Server 8.2 (EPAS) does not properly handle certain debuggi ## Vulnerability details -CVE-ID: [CVE-2007-4639](https://nvd.nist.gov/vuln/detail/CVE-2007-4639) - -CVSS Base Score: Undefined - -CVSS Temporal Score: Undefined - -CVSS Environmental Score: Undefined - +CVE-ID: [CVE-2007-4639](https://nvd.nist.gov/vuln/detail/CVE-2007-4639) +CVSS Base Score: Undefined +CVSS Temporal Score: Undefined +CVSS Environmental Score: Undefined CVSS Vector: Undefined ## Affected products and versions @@ -58,4 +54,4 @@ Source: MITRE ## Disclaimer -Legal can put any disclaimer they would like here +This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document. \ No newline at end of file diff --git a/advocacy_docs/security/advisories/cve201910128.mdx b/advocacy_docs/security/advisories/cve201910128.mdx index ae81964ac8a..2ed811f86a1 100644 --- a/advocacy_docs/security/advisories/cve201910128.mdx +++ b/advocacy_docs/security/advisories/cve201910128.mdx @@ -13,14 +13,10 @@ A vulnerability was found in PostgreSQL versions 11.x prior to 11.3. The Windows ## Vulnerability details -CVE-ID: [CVE-2019-10128](https://nvd.nist.gov/vuln/detail/CVE-2019-10128) - -CVSS Base Score: 7.8 - -CVSS Temporal Score: Undefined - -CVSS Environmental Score: Undefined - +CVE-ID: [CVE-2019-10128](https://nvd.nist.gov/vuln/detail/CVE-2019-10128) +CVSS Base Score: 7.8 +CVSS Temporal Score: Undefined +CVSS Environmental Score: Undefined CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H ## Affected products and versions @@ -67,4 +63,4 @@ Source: Red Hat Inc ## Disclaimer -Legal can put any disclaimer they would like here +This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document. diff --git a/advocacy_docs/security/advisories/cve202331043.mdx b/advocacy_docs/security/advisories/cve202331043.mdx index 164fb663eca..99d492e03ce 100644 --- a/advocacy_docs/security/advisories/cve202331043.mdx +++ b/advocacy_docs/security/advisories/cve202331043.mdx @@ -13,14 +13,10 @@ EDB Postgres Advanced Server (EPAS) versions before 14.6.0 log unredacted passwo ## Vulnerability details -CVE-ID: [CVE-2023-31043](https://nvd.nist.gov/vuln/detail/CVE-2023-31043) - -CVSS Base Score: 7.5 - -CVSS Temporal Score: Undefined - -CVSS Environmental Score: Undefined - +CVE-ID: [CVE-2023-31043](https://nvd.nist.gov/vuln/detail/CVE-2023-31043) +CVSS Base Score: 7.5 +CVSS Temporal Score: Undefined +CVSS Environmental Score: Undefined CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ## Affected products and versions @@ -69,4 +65,4 @@ Source: Mitre ## Disclaimer -Legal can put any disclaimer they would like here +This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document. diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index 3b93e73092e..db60153ea2c 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -11,9 +11,7 @@ navigation: - advisories --- -We are committed to a security first approach to everything we do at [EnterpriseDB](https://www.enterprisedb.com/). Here are the current policies and advisories. - -This policy outlines how EnterpriseDB handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EDB. +EDB is committed to a security first approach, from the products we build and the platforms we operate, to the services we provide our customers. Transparency is a core principle for the program and part of this effort includes welcoming incoming reports so that we can address concerns surfaced by our customers or security researchers. You’ll also find it in our advisories, which detail issues found and the required fixes or mitigations needed to keep your data and databases safe. ## Policies From 73a9486ec5a11aedb8c9f393ba1009a4f4e05309 Mon Sep 17 00:00:00 2001 From: Dj Walker-Morgan Date: Mon, 7 Aug 2023 18:34:52 +0100 Subject: [PATCH 18/18] More small tweaks and switch to ISO8601 dates Signed-off-by: Dj Walker-Morgan --- advocacy_docs/security/advisories/cve.mdx.template | 7 ++++--- advocacy_docs/security/advisories/cve20074639.mdx | 4 ++-- advocacy_docs/security/advisories/cve201910128.mdx | 4 ++-- advocacy_docs/security/advisories/cve202331043.mdx | 4 ++-- advocacy_docs/security/advisories/index.mdx | 6 +++--- advocacy_docs/security/index.mdx | 6 +++--- advocacy_docs/security/vulnerability-disclosure-policy.mdx | 2 +- 7 files changed, 17 insertions(+), 16 deletions(-) diff --git a/advocacy_docs/security/advisories/cve.mdx.template b/advocacy_docs/security/advisories/cve.mdx.template index 538350e1ce3..d6068344f5b 100644 --- a/advocacy_docs/security/advisories/cve.mdx.template +++ b/advocacy_docs/security/advisories/cve.mdx.template @@ -3,9 +3,9 @@ title: CVE Title navTitle: CVE ID as CVE-Year-Number --- -First Published: MM/DD/YYYY +First Published: YYYY/MM/DD (ISO8601) -Last Updated: MM/DD/YYYY +Last Updated: YYYY/MM/DD ## Summary @@ -59,4 +59,5 @@ DD mmmm YYYY: ACTION ## Disclaimer -Legal can put any disclaimer they would like here + +This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document. \ No newline at end of file diff --git a/advocacy_docs/security/advisories/cve20074639.mdx b/advocacy_docs/security/advisories/cve20074639.mdx index 819cb21c3bf..b542776cba3 100644 --- a/advocacy_docs/security/advisories/cve20074639.mdx +++ b/advocacy_docs/security/advisories/cve20074639.mdx @@ -3,9 +3,9 @@ title: EDB Advanced Server 8.2 improperly handles debugging function calls navTitle: CVE-2007-4639 --- -First Published: 08/31/2007 +First Published: 2007/08/31 -Last Updated: 10/15/2018 +Last Updated: 2018/10/15 ## Summary diff --git a/advocacy_docs/security/advisories/cve201910128.mdx b/advocacy_docs/security/advisories/cve201910128.mdx index 2ed811f86a1..004d2a03b4e 100644 --- a/advocacy_docs/security/advisories/cve201910128.mdx +++ b/advocacy_docs/security/advisories/cve201910128.mdx @@ -3,9 +3,9 @@ title: EDB supplied PostgreSQL inherits ACL for installation directory navTitle: CVE-2019-10128 --- -First Published: 03/19/2021 +First Published: 2021/03/19 -Last Updated: 01/01/2022 +Last Updated: 2022/01/01 ## Summary diff --git a/advocacy_docs/security/advisories/cve202331043.mdx b/advocacy_docs/security/advisories/cve202331043.mdx index 99d492e03ce..c341c6fcf28 100644 --- a/advocacy_docs/security/advisories/cve202331043.mdx +++ b/advocacy_docs/security/advisories/cve202331043.mdx @@ -3,9 +3,9 @@ title: EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14 navTitle: CVE-2023-31043 --- -First Published: 04/23/2023 +First Published: 2023/04/23 -Last Updated: 05/02/2023 +Last Updated: 2023/05/02 ## Summary diff --git a/advocacy_docs/security/advisories/index.mdx b/advocacy_docs/security/advisories/index.mdx index 15dadbbfa3e..a7c597a5d49 100644 --- a/advocacy_docs/security/advisories/index.mdx +++ b/advocacy_docs/security/advisories/index.mdx @@ -10,7 +10,7 @@ hideToC: true

CVE-2023-31043

EDB Postgres Advanced Server 10.23.32 to 14.5.0

-Updated: 05/02/2023
+Updated: 2023/05/02
EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14.6.0
@@ -20,7 +20,7 @@ EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14.6.0

CVE-2019-10128

PostgreSQL

-Updated: 01/01/2022
+Updated: 2022/01/01
EDB supplied PostgreSQL inherits ACL for installation directory
@@ -30,7 +30,7 @@ EDB supplied PostgreSQL inherits ACL for installation directory

CVE-2007-4639

EDB Postgres Advanced Server version 8.2

-Updated: 10/15/2018
+Updated: 2018/10/15
EDB Advanced Server 8.2 improperly handles debugging function calls
diff --git a/advocacy_docs/security/index.mdx b/advocacy_docs/security/index.mdx index db60153ea2c..593c659780e 100644 --- a/advocacy_docs/security/index.mdx +++ b/advocacy_docs/security/index.mdx @@ -23,7 +23,7 @@ This policy outlines how EnterpriseDB handles disclosures related to suspected v

CVE-2023-31043

EDB Postgres Advanced Server 10.23.32 to 14.5.0

-Updated: 05/02/2023
+Updated: 2023/05/02
EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14.6.0
@@ -33,7 +33,7 @@ EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14.6.0

CVE-2019-10128

PostgreSQL

-Updated: 01/01/2022
+Updated: 2022/01/01
EDB supplied PostgreSQL inherits ACL for installation directory
@@ -43,7 +43,7 @@ EDB supplied PostgreSQL inherits ACL for installation directory

CVE-2007-4639

EDB Postgres Advanced Server version 8.2

-Updated: 10/15/2018
+Updated: 2018/10/15
EDB Advanced Server 8.2 improperly handles debugging function calls
diff --git a/advocacy_docs/security/vulnerability-disclosure-policy.mdx b/advocacy_docs/security/vulnerability-disclosure-policy.mdx index 522ffc3e582..89dc59dfbf0 100644 --- a/advocacy_docs/security/vulnerability-disclosure-policy.mdx +++ b/advocacy_docs/security/vulnerability-disclosure-policy.mdx @@ -5,7 +5,7 @@ iconName: Security hideKBLink: true --- -We are committed to a security first approach to everything we do at [EnterpriseDB](https://www.enterprisedb.com/). +EDB is committed to a security first approach, from the products we build and the platforms we operate, to the services we provide our customers. ## Introduction