ID CVE-2018-10925
Summary It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.
References
Vulnerable Configurations
CVSS
Base: None
Impact:
Exploitability:
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4269.NASL
    description Two vulnerabilities have been found in the PostgreSQL database system : - CVE-2018-10915 Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects. - CVE-2018-10925 It was discovered that some 'CREATE TABLE' statements could disclose server memory. For additional information please refer to the upstream announcement at https://www.postgresql.org/about/news/1878/
    last seen 2018-08-15
    modified 2018-08-13
    plugin id 111653
    published 2018-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111653
    title Debian DSA-4269-1 : postgresql-9.6 - security update
  • NASL family Databases
    NASL id POSTGRESQL_20180809.NASL
    description The version of PostgreSQL installed on the remote host is 9.3.x prior to 9.3.24, 9.4.x prior to 9.4.19, 9.5.x prior to 9.5.14, 9.6.x prior to 9.6.10, or 10.x prior to 10.5. It is, therefore, affected by multiple vulnerabilities.
    last seen 2018-08-18
    modified 2018-08-17
    plugin id 111966
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111966
    title PostgreSQL 9.3.x < 9.3.24 / 9.4.x < 9.4.19 / 9.5.x < 9.5.14 / 9.6.x < 9.6.10 / 10.x < 10.5 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-D8F5AEA89D.NASL
    description update to 9.6.10, CVE-2018-10915 CVE-2018-10925 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-08-17
    modified 2018-08-16
    plugin id 111770
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111770
    title Fedora 27 : postgresql (2018-d8f5aea89d)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_96EAB8749C7911E8B34B6CC21735F730.NASL
    description The PostgreSQL project reports : CVE-2018-10915: Certain host connection parameters defeat client-side security defenses libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the 'dblink' or 'postgres_fdw' extensions, to login to servers they should not be able to access. CVE-2018-10925: Memory disclosure and missing authorization in `INSERT ... ON CONFLICT DO UPDATE` An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using an upsert (`INSERT ... ON CONFLICT DO UPDATE`) query. By default, any user can exploit that. A user that has specific INSERT privileges and an UPDATE privilege on at least one column in a given table can also update other columns using a view and an upsert query.
    last seen 2018-08-15
    modified 2018-08-13
    plugin id 111656
    published 2018-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111656
    title FreeBSD : PostgreSQL -- two vulnerabilities (96eab874-9c79-11e8-b34b-6cc21735f730)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0178.NASL
    description An update of 'python2', 'strongswan', 'python3', 'postgresql' packages of Photon OS has been released.
    last seen 2018-09-01
    modified 2018-08-31
    plugin id 112221
    published 2018-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112221
    title Photon OS 1.0: Postgresql / Python2 / Python3 / Strongswan PHSA-2018-1.0-0178
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-955.NASL
    description This update for postgresql10 fixes the following issues : PostgreSQL 10 was updated to 10.5 : - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-10-5.html A dump/restore is not required for those running 10.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issues fixed : - CVE-2018-1115: Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function pg_logfile_rotate() is a deprecated wrapper for the core function pg_rotate_logfile(). When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate() should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue. After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed (bsc#1091610). - CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199) - CVE-2018-10925: Add missing authorization check on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could have exploited this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could have exploited this to update other columns in the same table (bsc#1104202). This update was imported from the SUSE:SLE-15:Update update project.
    last seen 2018-09-05
    modified 2018-09-04
    plugin id 112269
    published 2018-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112269
    title openSUSE Security Update : postgresql10 (openSUSE-2018-955)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3744-1.NASL
    description Andrew Krasichkov discovered that the PostgreSQL client library incorrectly reset its internal state between connections. A remote attacker could possibly use this issue to bypass certain client-side connection security features. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-10915) It was discovered that PostgreSQL incorrectly checked authorization on certain statements. A remote attacker could possibly use this issue to read arbitrary server memory or alter certain data. (CVE-2018-10925). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 111844
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111844
    title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : postgresql-10, postgresql-9.3, postgresql-9.5 vulnerabilities (USN-3744-1)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0087.NASL
    description An update of 'krb5', 'postgresql' packages of Photon OS has been released.
    last seen 2018-09-05
    modified 2018-09-04
    plugin id 112220
    published 2018-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112220
    title Photon OS 2.0: Krb5 / Postgresql PHSA-2018-2.0-0087
redhat via4
advisories
  • rhsa
    id RHSA-2018:2511
  • rhsa
    id RHSA-2018:2565
  • rhsa
    id RHSA-2018:2566
refmap via4
bid 105052
confirm
debian DSA-4269
sectrack 1041446
ubuntu USN-3744-1
Last major update 09-08-2018 - 17:29
Published 09-08-2018 - 17:29
Last modified 28-08-2018 - 06:29
Back to Top