ID CVE-2017-7485
Summary In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.
References
Vulnerable Configurations
  • PostgreSQL PostgreSQL 9.3
    cpe:2.3:a:postgresql:postgresql:9.3
  • PostgreSQL PostgreSQL 9.3.1
    cpe:2.3:a:postgresql:postgresql:9.3.1
  • PostgreSQL PostgreSQL 9.3.2
    cpe:2.3:a:postgresql:postgresql:9.3.2
  • PostgreSQL PostgreSQL 9.3.3
    cpe:2.3:a:postgresql:postgresql:9.3.3
  • PostgreSQL 9.3.4
    cpe:2.3:a:postgresql:postgresql:9.3.4
  • PostgreSQL 9.3.5
    cpe:2.3:a:postgresql:postgresql:9.3.5
  • PostgreSQL 9.3.6
    cpe:2.3:a:postgresql:postgresql:9.3.6
  • PostgreSQL 9.3.7
    cpe:2.3:a:postgresql:postgresql:9.3.7
  • PostgreSQL 9.3.8
    cpe:2.3:a:postgresql:postgresql:9.3.8
  • PostgreSQL 9.3.9
    cpe:2.3:a:postgresql:postgresql:9.3.9
  • PostgreSQL 9.3.10
    cpe:2.3:a:postgresql:postgresql:9.3.10
  • PostgreSQL 9.3.11
    cpe:2.3:a:postgresql:postgresql:9.3.11
  • PostgreSQL 9.3.12
    cpe:2.3:a:postgresql:postgresql:9.3.12
  • PostgreSQL 9.3.13
    cpe:2.3:a:postgresql:postgresql:9.3.13
  • PostgreSQL 9.3.14
    cpe:2.3:a:postgresql:postgresql:9.3.14
  • PostgreSQL 9.3.15
    cpe:2.3:a:postgresql:postgresql:9.3.15
  • PostgreSQL 9.3.16
    cpe:2.3:a:postgresql:postgresql:9.3.16
  • PostgreSQL PostgreSQL 9.4
    cpe:2.3:a:postgresql:postgresql:9.4
  • PostgreSQL 9.4.1
    cpe:2.3:a:postgresql:postgresql:9.4.1
  • PostgreSQL 9.4.2
    cpe:2.3:a:postgresql:postgresql:9.4.2
  • PostgreSQL 9.4.3
    cpe:2.3:a:postgresql:postgresql:9.4.3
  • PostgreSQL 9.4.4
    cpe:2.3:a:postgresql:postgresql:9.4.4
  • PostgreSQL PostgreSQL 9.4.5
    cpe:2.3:a:postgresql:postgresql:9.4.5
  • PostgreSQL 9.4.6
    cpe:2.3:a:postgresql:postgresql:9.4.6
  • PostgreSQL 9.4.7
    cpe:2.3:a:postgresql:postgresql:9.4.7
  • PostgreSQL 9.4.8
    cpe:2.3:a:postgresql:postgresql:9.4.8
  • PostgreSQL 9.4.9
    cpe:2.3:a:postgresql:postgresql:9.4.9
  • PostgreSQL 9.4.10
    cpe:2.3:a:postgresql:postgresql:9.4.10
  • PostgreSQL 9.4.11
    cpe:2.3:a:postgresql:postgresql:9.4.11
  • PostgreSQL PostgreSQL 9.5
    cpe:2.3:a:postgresql:postgresql:9.5
  • PostgreSQL 9.5.1
    cpe:2.3:a:postgresql:postgresql:9.5.1
  • PostgreSQL 9.5.2
    cpe:2.3:a:postgresql:postgresql:9.5.2
  • PostgreSQL 9.5.3
    cpe:2.3:a:postgresql:postgresql:9.5.3
  • PostgreSQL 9.5.4
    cpe:2.3:a:postgresql:postgresql:9.5.4
  • PostgreSQL 9.5.5
    cpe:2.3:a:postgresql:postgresql:9.5.5
  • PostgreSQL 9.5.6
    cpe:2.3:a:postgresql:postgresql:9.5.6
  • PostgreSQL 9.6
    cpe:2.3:a:postgresql:postgresql:9.6
  • PostgreSQL 9.6.1
    cpe:2.3:a:postgresql:postgresql:9.6.1
  • PostgreSQL 9.6.2
    cpe:2.3:a:postgresql:postgresql:9.6.2
CVSS
Base: 4.3
Impact:
Exploitability:
CWE CWE-310
CAPEC
  • Signature Spoofing by Key Recreation
    An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1441-1.NASL
    description This update for postgresql93 fixes the following issues: The PostgreSQL package was updated to 9.3.17, bringing various bug and security fixes. Bug fixes : - bsc#1029547: Fix tests with timezone 2017a - CVE-2017-7486: Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1037624) - CVE-2017-7485: Recognize PGREQUIRESSL variable again. (bsc#1038293) - CVE-2017-7484: Prevent exposure of statistical information via leaky operators. (bsc#1037603) More details can be found in the PostgreSQL release announcements : - https://www.postgresql.org/docs/9.3/static/release-9-3-17.html - https://www.postgresql.org/docs/9.3/static/release-9-3-16.html - https://www.postgresql.org/docs/9.3/static/release-9-3-15.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 100538
    published 2017-05-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100538
    title SUSE SLES12 Security Update : postgresql93 (SUSE-SU-2017:1441-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201710-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201710-06 (PostgreSQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PostgreSQL. Please review the referenced CVE identifiers for details. Impact : A remote attacker could escalate privileges, cause a Denial of Service condition, obtain passwords, cause a loss in information, or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 103724
    published 2017-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103724
    title GLSA-201710-06 : PostgreSQL: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1690-1.NASL
    description This update for postgresql94 to 9.4.12 fixes the following issues: Upstream changelogs : - https://www.postgresql.org/docs/9.4/static/release-9-4-12.html - https://www.postgresql.org/docs/9.4/static/release-9-4-11.html - https://www.postgresql.org/docs/9.4/static/release-9-4-10.html Security issues fixed : - CVE-2017-7486: Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1037624) Please note that manual action is needed to fix this in existing databases See the upstream release notes for details. - CVE-2017-7485: recognize PGREQUIRESSL variable again. (bsc#1038293) - CVE-2017-7484: Prevent exposure of statistical information via leaky operators. (bsc#1037603) Changes in version 9.4.12 : - Build corruption with CREATE INDEX CONCURRENTLY - Fixes for visibility and write-ahead-log stability Changes in version 9.4.10 : - Fix WAL-logging of truncation of relation free space maps and visibility maps - Fix incorrect creation of GIN index WAL records on big-endian machines - Fix SELECT FOR UPDATE/SHARE to correctly lock tuples that have been updated by a subsequently-aborted transaction - Fix EvalPlanQual rechecks involving CTE scans - Fix improper repetition of previous results from hashed aggregation in a subquery The libraries libpq and libecpg are now supplied by postgresql 9.6. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 101060
    published 2017-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101060
    title SUSE SLED12 / SLES12 Security Update : postgresql94 (SUSE-SU-2017:1690-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-0D5817EFC0.NASL
    description Fixes CVE-2017-7484 CVE-2017-7485 CVE-2017-7486. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 101572
    published 2017-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101572
    title Fedora 26 : mingw-postgresql (2017-0d5817efc0)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3851.NASL
    description Several vulnerabilities have been found in the PostgreSQL database system : - CVE-2017-7484 Robert Haas discovered that some selectivity estimators did not validate user privileges which could result in information disclosure. - CVE-2017-7485 Daniel Gustafsson discovered that the PGREQUIRESSL environment variable did no longer enforce a TLS connection. - CVE-2017-7486 Andrew Wheelwright discovered that user mappings were insufficiently restricted.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 100165
    published 2017-05-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100165
    title Debian DSA-3851-1 : postgresql-9.4 - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1783-1.NASL
    description This update for postgresql93 fixes the following issues : - bsc#1029547: Fix tests with timezone 2017a - CVE-2017-7486: Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1037624) - CVE-2017-7485: Recognize PGREQUIRESSL variable again. (bsc#1038293) - CVE-2017-7484: Prevent exposure of statistical information via leaky operators. (bsc#1037603) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 101260
    published 2017-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101260
    title SUSE SLES11 Security Update : postgresql94 (SUSE-SU-2017:1783-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-1838.NASL
    description An update for rh-postgresql95-postgresql is now available for Red Hat Satellite 5.8 and Red Hat Satellite 5.8 ELS. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. This update applies only to Satellite 5.8 instances using either embedded or managed PostgreSQL databases. There are manual steps required in order to finish the migration from postgresql92-postgresql to rh-postgresql95-postgresql. If these steps are not undertaken, the affected Satellite will continue to use PostgreSQL 9.2. postgresql92-postgresql will be upgraded automatically to rh-postgresql95-postgresql as part of an upgrade to Satellite 5.8. PostgreSQL is an advanced object-relational database management system (DBMS). Security Fix(es) : * It was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. A non-administrative database user could use this flaw to steal some information from tables they are otherwise not allowed to access. (CVE-2017-7484) * It was discovered that the PostgreSQL client library (libpq) did not enforce the use of TLS/SSL for a connection to a PostgreSQL server when the PGREQUIRESSL environment variable was set. An man-in-the-middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. (CVE-2017-7485) * It was found that the pg_user_mappings view could disclose information about user mappings to a foreign database to non-administrative database users. A database user with USAGE privilege for this mapping could, when querying the view, obtain user mapping data, such as the username and password used to connect to the foreign database. (CVE-2017-7486) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Robert Haas as the original reporter of CVE-2017-7484; Daniel Gustafsson as the original reporter of CVE-2017-7485; and Andrew Wheelwright as the original reporter of CVE-2017-7486.
    last seen 2019-02-21
    modified 2018-07-27
    plugin id 102142
    published 2017-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102142
    title RHEL 5 : rh-postgresql95-postgresql (RHSA-2017:1838)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-839.NASL
    description Selectivity estimators bypass SELECT privilege checks It was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. (CVE-2017-7484) libpq ignores PGREQUIRESSL environment variable It was found that the PGREQUIRESSL was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. (CVE-2017-7485) pg_user_mappings view discloses foreign server passwords It was found that the pg_user_mappings view from postgresql could disclose information about user mappings to a foreign database to unprivileged users. An authenticated attacker with USAGE privilege for this mapping could, when querying the view, obtain user mapping data, such as the username and password used to connect to the foreign database. (CVE-2017-7486)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 100640
    published 2017-06-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100640
    title Amazon Linux AMI : postgresql93 / postgresql94,postgresql95 (ALAS-2017-839)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-657.NASL
    description This update for postgresql93 fixes the following issues : The PostgreSQL package was updated to 9.3.17, bringing various bug and security fixes. Security fixes : - CVE-2017-7486: Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1037624) - CVE-2017-7485: Recognize PGREQUIRESSL variable again. (bsc#1038293) - CVE-2017-7484: Prevent exposure of statistical information via leaky operators. (bsc#1037603) More details can be found in the PostgreSQL release announcements : - https://www.postgresql.org/docs/9.3/static/release-9-3-17.html - https://www.postgresql.org/docs/9.3/static/release-9-3-16.html - https://www.postgresql.org/docs/9.3/static/release-9-3-15.html This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 100659
    published 2017-06-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100659
    title openSUSE Security Update : postgresql93 (openSUSE-2017-657)
  • NASL family Databases
    NASL id POSTGRESQL_20170511.NASL
    description The version of PostgreSQL installed on the remote host is 9.2.x prior to 9.2.21, 9.3.x prior to 9.3.17, 9.4.x prior to 9.4.12, 9.5.x prior to 9.5.7, or 9.6.x prior to 9.6.3. It is, therefore, affected by multiple vulnerabilities : - A information disclosure vulnerability exists in unspecified selectivity estimation functions due to improper checking of user privileges before providing information from pg_statistics. An authenticated, remote attacker can exploit this to disclose potentially sensitive information from restricted tables. (CVE-2017-7484) - A flaw exists because the PGREQUIRESSL environment variable setting is not properly honored, which results in a failure to require appropriate SSL/TLS connections. A man-in-the-middle attacker can exploit this to cause an insecure, non-SSL/TLS connection between a client and and a server. Note that version 9.2.x is not affected by this vulnerability. (CVE-2017-7485) - A information disclosure vulnerability exists in the pg_user_mappings view that allows access to user mappings which may contain passwords that have persisted from the CREATE USER MAPPING command. An authenticated, remote attacker who has USAGE privilege on the associated foreign server can exploit this to disclose foreign server passwords. (CVE-2017-7486)
    last seen 2019-02-21
    modified 2018-12-14
    plugin id 100260
    published 2017-05-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100260
    title PostgreSQL 9.2.x < 9.2.21 / 9.3.x < 9.3.17 / 9.4.x < 9.4.12 / 9.5.x < 9.5.7 / 9.6.x < 9.6.3 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-770.NASL
    description This update for postgresql94 to 9.4.12 fixes the following issues : Upstream changelogs : - https://www.postgresql.org/docs/9.4/static/release-9-4-12.html - https://www.postgresql.org/docs/9.4/static/release-9-4-11.html - https://www.postgresql.org/docs/9.4/static/release-9-4-10.html Security issues fixed : - CVE-2017-7486: Restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1037624) Please note that manual action is needed to fix this in existing databases See the upstream release notes for details. - CVE-2017-7485: recognize PGREQUIRESSL variable again. (bsc#1038293) - CVE-2017-7484: Prevent exposure of statistical information via leaky operators. (bsc#1037603) Changes in version 9.4.12 : - Build corruption with CREATE INDEX CONCURRENTLY - Fixes for visibility and write-ahead-log stability Changes in version 9.4.10 : - Fix WAL-logging of truncation of relation free space maps and visibility maps - Fix incorrect creation of GIN index WAL records on big-endian machines - Fix SELECT FOR UPDATE/SHARE to correctly lock tuples that have been updated by a subsequently-aborted transaction - Fix EvalPlanQual rechecks involving CTE scans - Fix improper repetition of previous results from hashed aggregation in a subquery The libraries libpq and libecpg are now supplied by postgresql 9.6. This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 101220
    published 2017-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101220
    title openSUSE Security Update : postgresql94 (openSUSE-2017-770)
redhat via4
advisories
  • rhsa
    id RHSA-2017:1677
  • rhsa
    id RHSA-2017:1678
  • rhsa
    id RHSA-2017:1838
  • rhsa
    id RHSA-2017:2425
refmap via4
bid 98461
confirm https://www.postgresql.org/about/news/1746/
debian DSA-3851
gentoo GLSA-201710-06
sectrack 1038476
Last major update 12-05-2017 - 15:29
Published 12-05-2017 - 15:29
Last modified 04-01-2018 - 21:31
Back to Top