Skip to content

Commit

Permalink
Merge pull request #5597 from EnterpriseDB/docs/sec/cveupdatemay24
Browse files Browse the repository at this point in the history 
Docs/sec/cveupdatemay24
  • Loading branch information
@djw-m
djw-m authored May 9, 2024
2 parents 365131f + 74723d6 commit 8c3ec6e
Show file tree
Hide file tree
Showing 13 changed files with 251 additions and 76 deletions.
71 changes: 71 additions & 0 deletions advocacy_docs/security/advisories/cve20244545.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
---
title: CVE-2024-4545 - EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr
navTitle: CVE-2024-4545
affectedProducts: All versions of EDB Postgres Advanced Server (EPAS) edbldr from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0
---

First Published: 2024/05/09

Last Updated: 2024/05/09

## Summary

All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0 may allow users using `edbldr` to bypass role permissions from `pg_read_server_files`. This could allow low privilege users to read files to which they would not otherwise have access.

## Vulnerability details

CVE-ID: [CVE-2024-4545](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4545)

CVSS Base Score: 7.7

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

## Affected products and versions

* EnterpriseDB Postgres Advanced Server (EPAS)
* All versions from 15.0 and prior to 15.7.0
* All versions from 16.0 and prior to 16.3.0

## Remediation

Impacted users must upgrade to a fixed version of EPAS. For questions about updating, users can contact their account representative or [contact EDB](https://www.enterprisedb.com/contact).

| Product | VRMF | Remediation/First Fix |
|---------|------|-----------------------|
| EPAS | All versions from 15.0 and prior to 15.7.0 | [Upgrade EPAS 15 to Minor release](https://www.enterprisedb.com/docs/epas/15/upgrading/04_upgrading_an_installation_with_pg_upgrade/01_performing_an_upgrade/) |
| EPAS | All versions from 16.0 and prior to 16.7.0 | [Upgrade EPAS 16 to Minor release](https://www.enterprisedb.com/docs/epas/16/upgrading/04_upgrading_an_installation_with_pg_upgrade/01_performing_an_upgrade/) |

!!! Warning
If impacted users are currently relying on non-superusers to run edbldr and read data from the server filesystem without any special permissions, the fixed versions of EPAS could break these workflows. It is recommended that users do one of the following:
* Grant such users the `pg_read_server_files` role
* Change the way data is being loaded into the database, such as loading files from standard input rather than specifying a pathname.
!!!

## References

* [CVSS Calculator v3.1](https://www.first.org/cvss/calculator/3.1)
* [CWE-284 Improper Access Control](http://cwe.mitre.org/data/definitions/284.html)


## Related information

* [EnterpriseDB](https://www.enterprisedb.com/)
* [PostgreSQL](https://www.postgresql.org/)
* [EDB Postgres Advanced Server (EPAS)](https://www.enterprisedb.com/products/edb-postgres-advanced-server)
* [EDB Blogs link](https://enterprisedb.com/blog/)

## Acknowledgement

None

## Change history

* 9 May 2024: Original document published

## Disclaimer

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
25 changes: 25 additions & 0 deletions advocacy_docs/security/advisories/index.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ iconName: Security
hideKBLink: true
hideToC: false
navigation:
- cve20244545
- cve202341120
- cve202341119
- cve202341118
Expand All @@ -26,6 +27,30 @@ navigation:



<h2>Updated 2024</h2>

<table class="table-bordered">


<tr><td>
<details><summary><h3 style="display:inline"> CVE-2024-4545 </h3>
<span>
&nbsp;&nbsp;<a href="cve20244545">Read Advisory</a>
&nbsp;&nbsp;Updated: </span><span>2024/05/09</span>
<h4>EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr</h4>
<h5> All versions of EDB Postgres Advanced Server (EPAS) edbldr from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0</h5>
</summary>
<hr/>
<em>Summary:</em>&nbsp;
All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0 may allow users using <code>edbldr</code> to bypass role permissions from <code>pg_read_server_files</code>. This could allow low privilege users to read files to which they would not otherwise have access.
<br/>
<a href="cve20244545">Read More...</a>
</details></td></tr>




</table>
<h2>Updated 2023</h2>

<table class="table-bordered">
Expand Down
105 changes: 105 additions & 0 deletions advocacy_docs/security/assessments/cve-2024-4317.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
---
title: CVE-2024-4317 - Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner
navTitle: CVE-2024-4317
affectedProducts: TBD
---

First Published: 2024/05/09

Last Updated: 2024/05/09

Important: This is an assessment of the impact of CVE-2024-4317 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.

## Summary

Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.


## Vulnerability details

CVE-ID: [CVE-2024-4317](https://www.postgresql.org/support/security/CVE-2024-4317/)

CVSS Base Score: 3.1

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: TBC

## Affected products and versions

### PostgreSQL

* All versions of PostgreSQL prior to 16.3
* All versions of PostgreSQL prior to 15.7
* All versions of PostgreSQL prior to 14.12

### EnterpriseDB Postgres Advanced Server (EPAS)

* All versions of EPAS prior to 16.3
* All versions of EPAS prior to 15.7
* All versions of EPAS prior to 14.12

### EnterpriseDB Postgres Extended

* All versions of PGE prior to 16.3
* All versions of PGE prior to 15.7
* All versions of PGE prior to 14.12

## Remediation/fixes

The fix is included in the following versions: 16.3, 15.7, and 14.12.

Installing the fix will not remove the vulnerability from existing installations. To remove the vulnerability, follow the instructions in the [CVE-2024-4317](https://www.postgresql.org/support/security/CVE-2024-4317/) advisory.

### PostgreSQL Version Information

| Affected Version | Fixed In | Fix Published |
|-----------------------------|----------|---------------|
| All versions prior to 16.3 | 16.3 | 2024-05-09 |
| All versions prior to 15.7 | 15.7 | 2024-05-09 |
| All versions prior to 14.12 | 14.12 | 2024-05-09 |

### EPAS Version Information

| Product | VRMF | Remediation/First Fix |
|---------|--------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------|
| EPAS | All versions prior to 16.3 | Update to version 16.3 or later |
| EPAS | All versions prior to 15.7 | Update to version 15.7 or later |
| EPAS | All versions prior to 14.12 | Update to version 14.12 or later |

### PGE Version Information

| Product | VRMF | Remediation/First Fix |
|---------|--------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| PGE | All versions prior to 16.3 | Update to version 16.3 or later |
| PGE | All versions prior to 15.7 | Update to version 15.7 or later |
| PGE | All versions prior to 14.12 | Update to version 14.12 or later |

## References

* [CVSS Calculator v3.1](https://www.first.org/cvss/calculator/3.1)
* [CWE-284 Improper Access Control](http://cwe.mitre.org/data/definitions/284.html)

## Related information

* [EnterpriseDB](https://www.enterprisedb.com/)
* [EDB Blogs link](https://enterprisedb.com/blog/)

## Acknowledgement

Source: PostgreSQL.org

## Change history

9 May 2024: Original Copy Published

## Disclaimer

This document is provided on an "as is" basis and does not imply any kind of
guarantee or warranty, including the warranties of merchantability or fitness
for a particular use. Your use of the information on the document is at your own
risk. EDB reserves the right to change or update this document at any time.
Customers are therefore recommended to always view the latest version of this
document.
20 changes: 20 additions & 0 deletions advocacy_docs/security/assessments/index.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ iconName: Security
hideKBLink: true
hideToC: false
navigation:
- cve-2024-4317
- cve-2024-1597
- cve-2024-0985
---
Expand All @@ -25,6 +26,25 @@ The CVEs listed in this section are from PostgreSQL and other parties who have r
<table class="table-bordered">


<tr><td>
<details><summary><h3 style="display:inline"> CVE-2024-4317 </h3>
<span>
&nbsp;&nbsp;<a href="cve-2024-4317">Read Assessment</a>
&nbsp;&nbsp;Updated: </span><span>2024/05/09</span>
<h4>Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner</h4>
<h5> TBD</h5>
</summary>
<hr/>
<em>Summary:</em>&nbsp;
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
<br/>
<a href="cve-2024-4317">Read More...</a>
</details></td></tr>





<tr><td>
<details><summary><h3 style="display:inline"> CVE-2024-1597 </h3>
<span>
Expand Down
82 changes: 17 additions & 65 deletions advocacy_docs/security/index.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,90 +33,42 @@ This policy outlines how EnterpriseDB handles disclosures related to suspected v


<tr><td>
<details><summary><h3 style="display:inline">CVE-2023-41120 </h3>
<details><summary><h3 style="display:inline">CVE-2024-4545 </h3>
<span>
&nbsp;&nbsp;<a href="advisories/cve202341120">Read Advisory</a>
&nbsp;&nbsp;Updated: </span><span>2023/08/30</span>
<h4>EDB Postgres Advanced Server (EPAS) DBMS_PROFILER data may be removed without permission</h4>
<h5> All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0, 15.4.0</h5>
&nbsp;&nbsp;<a href="advisories/cve20244545">Read Advisory</a>
&nbsp;&nbsp;Updated: </span><span>2024/05/09</span>
<h4>EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr</h4>
<h5> All versions of EDB Postgres Advanced Server (EPAS) edbldr from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0</h5>
</summary>
<hr/>
<em>Summary:</em>&nbsp;
An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It permits an authenticated user to use DBMS_PROFILER to remove all accumulated profiling data on a system-wide basis, regardless of that user's permissions.
All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0 may allow users using <code>edbldr</code> to bypass role permissions from <code>pg_read_server_files</code>. This could allow low privilege users to read files to which they would not otherwise have access.
<br/>
<a href="advisories/cve202341120">Read More...</a>
<a href="advisories/cve20244545">Read More...</a>
</details></td></tr>

</table>

<tr><td>
<details><summary><h3 style="display:inline">CVE-2023-41119 </h3>
<span>
&nbsp;&nbsp;<a href="advisories/cve202341119">Read Advisory</a>
&nbsp;&nbsp;Updated: </span><span>2023/08/30</span>
<h4>EDB Postgres Advanced Server (EPAS) dbms_aq helper function may run arbitrary SQL as a superuser</h4>
<h5> All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0, 15.4.0</h5>
</summary>
<hr/>
<em>Summary:</em>&nbsp;
An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It contains the function _dbms_aq_move_to_exception_queue that may be used to elevate a user's privileges to superuser. This function accepts the OID of a table, and then accesses that table as the superuser by using SELECT and DML commands.
<br/>
<a href="advisories/cve202341119">Read More...</a>
</details></td></tr>


<tr><td>
<details><summary><h3 style="display:inline">CVE-2023-41118 </h3>
<span>
&nbsp;&nbsp;<a href="advisories/cve202341118">Read Advisory</a>
&nbsp;&nbsp;Updated: </span><span>2023/08/30</span>
<h4>EDB Postgres Advanced Server (EPAS) UTL_FILE permission bypass</h4>
<h5> All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0, 15.4.0</h5>
</summary>
<hr/>
<em>Summary:</em>&nbsp;
An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It may allow an authenticated user to bypass authorization requirements and access underlying implementation functions. When a superuser has configured file locations using CREATE DIRECTORY, these functions allow users to take a wide range of actions, including read, write, copy, rename, and delete.
<br/>
<a href="advisories/cve202341118">Read More...</a>
</details></td></tr>

## Most Recent Assessments

<tr><td>
<details><summary><h3 style="display:inline">CVE-2023-41117 </h3>
<span>
&nbsp;&nbsp;<a href="advisories/cve202341117">Read Advisory</a>
&nbsp;&nbsp;Updated: </span><span>2023/08/30</span>
<h4>EDB Postgres Advanced Server (EPAS) SECURITY DEFINER functions and procedures may be hijacked via search_path</h4>
<h5> All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0, 15.4.0</h5>
</summary>
<hr/>
<em>Summary:</em>&nbsp;
An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It contain packages, standalone packages, and functions that run SECURITY DEFINER but are inadequately secured against search_path attacks.
<br/>
<a href="advisories/cve202341117">Read More...</a>
</details></td></tr>
<table class="table-bordered">


<tr><td>
<details><summary><h3 style="display:inline">CVE-2023-41116 </h3>
<details><summary><h3 style="display:inline"> CVE-2024-4317 </h3>
<span>
&nbsp;&nbsp;<a href="advisories/cve202341116">Read Advisory</a>
&nbsp;&nbsp;Updated: </span><span>2023/08/30</span>
<h4>EDB Postgres Advanced Server (EPAS) permission bypass for materialized views</h4>
<h5> All versions of EnterpriseDB Postgres Advanced Server (EPAS) prior to 11.21.32, 12.16.20, 13.12.17, 14.9.0, 15.4.0</h5>
&nbsp;&nbsp;<a href="assessments/cve-2024-4317">Read Assessment</a>
&nbsp;&nbsp;Updated: </span><span>2024/05/09</span>
<h4>Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner</h4>
<h5> TBD</h5>
</summary>
<hr/>
<em>Summary:</em>&nbsp;
An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It allows an authenticated user to refresh any materialized view, regardless of that user's permissions.
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
<br/>
<a href="advisories/cve202341116">Read More...</a>
<a href="assessments/cve-2024-4317">Read More...</a>
</details></td></tr>

</table>

## Most Recent Assessments

<table class="table-bordered">


<tr><td>
<details><summary><h3 style="display:inline"> CVE-2024-1597 </h3>
Expand Down
2 changes: 1 addition & 1 deletion product_docs/docs/epas/12/epas_rel_notes/epas12_19_24_rel_notes.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ EDB Postgres Advanced Server 12.19.24 includes the following enhancements and bu

| Type | Description | Addresses&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |
|----------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|
| Upstream merge | Merged with community PostgreSQL 12.19. Important: this release includes a fix for a security issue. See the [PostgreSQL 12.19 Release Notes](https://www.postgresql.org/docs/release/12.19/) for more information. | |
| Upstream merge | Merged with community PostgreSQL 12.19. See the [PostgreSQL 12.19 Release Notes](https://www.postgresql.org/docs/release/12.19/) for more information. | |
| Bug&nbsp;fix | Fixed an issue for `edb_filter_log`. Now it correctly redacts the password when the tab is used before the keyword. | #36220 |
| Bug&nbsp;fix | Fixed an issue for `edb_audit` on Windows. Now it correctly rotates the log files based on days configured in `edb_audit_rotation_day`. | #99282 |
| Bug&nbsp;fix | Fixed an issue to fetch all the attributes correctly from the sub link in `CONNECT BY` processing to avoid the server crash. | #102746 |
Expand Down
Loading

1 comment on commit 8c3ec6e

@github-actions
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 Published on https://edb-docs-staging.netlify.app as production
🚀 Deployed on https://663cebda1ecee8075687bb73--edb-docs-staging.netlify.app

Please sign in to comment.