ID CVE-2018-10915
Summary A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.
References
Vulnerable Configurations
CVSS
Base: None
Impact:
Exploitability:
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-2557.NASL
    description An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.2.24). (BZ#1612667) Security Fix(es) : * postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Andrew Krasichkov as the original reporter.
    last seen 2018-08-30
    modified 2018-08-29
    plugin id 112163
    published 2018-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112163
    title CentOS 7 : postgresql (CESA-2018:2557)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180823_POSTGRESQL_ON_SL7_X.NASL
    description The following packages have been upgraded to a later upstream version: postgresql (9.2.24). Security Fix(es) : - postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915)
    last seen 2018-08-25
    modified 2018-08-24
    plugin id 112105
    published 2018-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112105
    title Scientific Linux Security Update : postgresql on SL7.x x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-2557.NASL
    description From Red Hat Security Advisory 2018:2557 : An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.2.24). (BZ#1612667) Security Fix(es) : * postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Andrew Krasichkov as the original reporter.
    last seen 2018-08-25
    modified 2018-08-24
    plugin id 112103
    published 2018-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112103
    title Oracle Linux 7 : postgresql (ELSA-2018-2557)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4269.NASL
    description Two vulnerabilities have been found in the PostgreSQL database system : - CVE-2018-10915 Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects. - CVE-2018-10925 It was discovered that some 'CREATE TABLE' statements could disclose server memory. For additional information please refer to the upstream announcement at https://www.postgresql.org/about/news/1878/
    last seen 2018-08-15
    modified 2018-08-13
    plugin id 111653
    published 2018-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111653
    title Debian DSA-4269-1 : postgresql-9.6 - security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1464.NASL
    description An unprivileged user of dblink or postgres_fdw could bypass the checks intended to prevent use of server-side credentials, such as a ~/.pgpass file owned by the operating-system user running the server. Servers allowing peer authentication on local connections are particularly vulnerable. Other attacks such as SQL injection into a postgres_fdw session are also possible. Attacking postgres_fdw in this way requires the ability to create a foreign server object with selected connection parameters, but any user with access to dblink could exploit the problem. In general, an attacker with the ability to select the connection parameters for a libpq-using application could cause mischief, though other plausible attack scenarios are harder to think of. Our thanks to Andrew Krasichkov for reporting this issue. For Debian 8 'Jessie', this problem has been fixed in version 9.4.19-0+deb8u1. We recommend that you upgrade your postgresql-9.4 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-08-17
    modified 2018-08-16
    plugin id 111762
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111762
    title Debian DLA-1464-1 : postgresql-9.4 security update
  • NASL family Databases
    NASL id POSTGRESQL_20180809.NASL
    description The version of PostgreSQL installed on the remote host is 9.3.x prior to 9.3.24, 9.4.x prior to 9.4.19, 9.5.x prior to 9.5.14, 9.6.x prior to 9.6.10, or 10.x prior to 10.5. It is, therefore, affected by multiple vulnerabilities.
    last seen 2018-08-18
    modified 2018-08-17
    plugin id 111966
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111966
    title PostgreSQL 9.3.x < 9.3.24 / 9.4.x < 9.4.19 / 9.5.x < 9.5.14 / 9.6.x < 9.6.10 / 10.x < 10.5 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-D8F5AEA89D.NASL
    description update to 9.6.10, CVE-2018-10915 CVE-2018-10925 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-08-17
    modified 2018-08-16
    plugin id 111770
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111770
    title Fedora 27 : postgresql (2018-d8f5aea89d)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_96EAB8749C7911E8B34B6CC21735F730.NASL
    description The PostgreSQL project reports : CVE-2018-10915: Certain host connection parameters defeat client-side security defenses libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the 'dblink' or 'postgres_fdw' extensions, to login to servers they should not be able to access. CVE-2018-10925: Memory disclosure and missing authorization in `INSERT ... ON CONFLICT DO UPDATE` An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using an upsert (`INSERT ... ON CONFLICT DO UPDATE`) query. By default, any user can exploit that. A user that has specific INSERT privileges and an UPDATE privilege on at least one column in a given table can also update other columns using a view and an upsert query.
    last seen 2018-08-15
    modified 2018-08-13
    plugin id 111656
    published 2018-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111656
    title FreeBSD : PostgreSQL -- two vulnerabilities (96eab874-9c79-11e8-b34b-6cc21735f730)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0178.NASL
    description An update of 'python2', 'strongswan', 'python3', 'postgresql' packages of Photon OS has been released.
    last seen 2018-09-01
    modified 2018-08-31
    plugin id 112221
    published 2018-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112221
    title Photon OS 1.0: Postgresql / Python2 / Python3 / Strongswan PHSA-2018-1.0-0178
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2557.NASL
    description An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.2.24). (BZ#1612667) Security Fix(es) : * postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Andrew Krasichkov as the original reporter.
    last seen 2018-08-25
    modified 2018-08-24
    plugin id 112104
    published 2018-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112104
    title RHEL 7 : postgresql (RHSA-2018:2557)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-955.NASL
    description This update for postgresql10 fixes the following issues : PostgreSQL 10 was updated to 10.5 : - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-10-5.html A dump/restore is not required for those running 10.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issues fixed : - CVE-2018-1115: Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function pg_logfile_rotate() is a deprecated wrapper for the core function pg_rotate_logfile(). When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate() should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue. After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed (bsc#1091610). - CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199) - CVE-2018-10925: Add missing authorization check on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could have exploited this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could have exploited this to update other columns in the same table (bsc#1104202). This update was imported from the SUSE:SLE-15:Update update project.
    last seen 2018-09-05
    modified 2018-09-04
    plugin id 112269
    published 2018-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112269
    title openSUSE Security Update : postgresql10 (openSUSE-2018-955)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2643.NASL
    description An update for rhvm-appliance is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The RHV-M Virtual Appliance automates the process of installing and configuring the Red Hat Virtualization Manager. The appliance is available to download as an OVA file from the Customer Portal. The following packages have been upgraded to a later upstream version: rhvm-appliance (4.2). (BZ#1590658, BZ#1591095, BZ#1591096, BZ#1592655, BZ# 1594636, BZ#1597534, BZ#1612683) Red Hat would like to thank the PostgreSQL project for reporting CVE-2018-10915 and Ammarit Thongthua (Deloitte Thailand Pentest team) and Nattakit Intarasorn (Deloitte Thailand Pentest team) for reporting CVE-2018-1067. Upstream acknowledges Andrew Krasichkov as the original reporter of CVE-2018-10915. Security fixes : * vulnerability: wildfly-core: Path traversal can allow the extraction of .war archives to write arbitrary files (Zip Slip) (CVE-2018-10862) * vulnerability: apache-cxf: TLS hostname verification does not work correctly with com.sun.net.ssl.* (CVE-2018-8039) * vulnerability: postgresql: Certain host connection parameters defeat client-side security defenses (CVE-2018-10915) * vulnerability: undertow: HTTP header injection using CRLF with UTF-8 Encoding (incomplete fix of ) (CVE-2018-1067, CVE-2016-4993) * vulnerability: undertow: File descriptor leak caused by JarURLConnection.getLastModified() allows attacker to cause a denial of service (CVE-2018-1114) * vulnerability: guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote attackers to cause a denial of service (CVE-2018-10237) * vulnerability: bouncycastle: flaw in the low-level interface to RSA key pair generator (CVE-2018-1000180) For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the References section.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 117324
    published 2018-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117324
    title RHEL 7 : Virtualization (RHSA-2018:2643)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3744-1.NASL
    description Andrew Krasichkov discovered that the PostgreSQL client library incorrectly reset its internal state between connections. A remote attacker could possibly use this issue to bypass certain client-side connection security features. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-10915) It was discovered that PostgreSQL incorrectly checked authorization on certain statements. A remote attacker could possibly use this issue to read arbitrary server memory or alter certain data. (CVE-2018-10925). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 111844
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111844
    title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : postgresql-10, postgresql-9.3, postgresql-9.5 vulnerabilities (USN-3744-1)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0087.NASL
    description An update of 'krb5', 'postgresql' packages of Photon OS has been released.
    last seen 2018-09-05
    modified 2018-09-04
    plugin id 112220
    published 2018-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112220
    title Photon OS 2.0: Krb5 / Postgresql PHSA-2018-2.0-0087
redhat via4
advisories
  • bugzilla
    id 1609891
    title CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment postgresql is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557007
        • comment postgresql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908006
      • AND
        • comment postgresql-contrib is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557015
        • comment postgresql-contrib is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908014
      • AND
        • comment postgresql-devel is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557025
        • comment postgresql-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908010
      • AND
        • comment postgresql-docs is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557023
        • comment postgresql-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908016
      • AND
        • comment postgresql-libs is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557013
        • comment postgresql-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908024
      • AND
        • comment postgresql-plperl is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557021
        • comment postgresql-plperl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908022
      • AND
        • comment postgresql-plpython is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557027
        • comment postgresql-plpython is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908018
      • AND
        • comment postgresql-pltcl is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557017
        • comment postgresql-pltcl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908020
      • AND
        • comment postgresql-server is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557011
        • comment postgresql-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908012
      • AND
        • comment postgresql-static is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557005
        • comment postgresql-static is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20171983026
      • AND
        • comment postgresql-test is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557009
        • comment postgresql-test is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908008
      • AND
        • comment postgresql-upgrade is earlier than 0:9.2.24-1.el7_5
          oval oval:com.redhat.rhsa:tst:20182557019
        • comment postgresql-upgrade is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150750037
    rhsa
    id RHSA-2018:2557
    released 2018-08-23
    severity Important
    title RHSA-2018:2557: postgresql security update (Important)
  • rhsa
    id RHSA-2018:2511
  • rhsa
    id RHSA-2018:2565
  • rhsa
    id RHSA-2018:2566
  • rhsa
    id RHSA-2018:2643
rpms
  • postgresql-0:9.2.24-1.el7_5
  • postgresql-contrib-0:9.2.24-1.el7_5
  • postgresql-devel-0:9.2.24-1.el7_5
  • postgresql-docs-0:9.2.24-1.el7_5
  • postgresql-libs-0:9.2.24-1.el7_5
  • postgresql-plperl-0:9.2.24-1.el7_5
  • postgresql-plpython-0:9.2.24-1.el7_5
  • postgresql-pltcl-0:9.2.24-1.el7_5
  • postgresql-server-0:9.2.24-1.el7_5
  • postgresql-static-0:9.2.24-1.el7_5
  • postgresql-test-0:9.2.24-1.el7_5
  • postgresql-upgrade-0:9.2.24-1.el7_5
refmap via4
bid 105054
confirm
debian DSA-4269
mlist [debian-lts-announce] 20180815 [SECURITY] [DLA 1464-1] postgresql-9.4 security update
sectrack 1041446
ubuntu USN-3744-1
Last major update 09-08-2018 - 16:29
Published 09-08-2018 - 16:29
Last modified 19-09-2018 - 06:29
Back to Top