Amazon Linux AMI update for postgresql8
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2014-0060 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 |
| CWE-ID | CWE-264 CWE-362 CWE-121 CWE-20 CWE-119 CWE-476 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Amazon Linux AMI Operating systems & Components / Operating system |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU41880
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-0060
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to manipulate data.
PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
postgresql8-libs-8.4.20-1.44.amzn1.i686
postgresql8-test-8.4.20-1.44.amzn1.i686
postgresql8-plpython-8.4.20-1.44.amzn1.i686
postgresql8-debuginfo-8.4.20-1.44.amzn1.i686
postgresql8-pltcl-8.4.20-1.44.amzn1.i686
postgresql8-devel-8.4.20-1.44.amzn1.i686
postgresql8-plperl-8.4.20-1.44.amzn1.i686
postgresql8-contrib-8.4.20-1.44.amzn1.i686
postgresql8-8.4.20-1.44.amzn1.i686
postgresql8-server-8.4.20-1.44.amzn1.i686
postgresql8-docs-8.4.20-1.44.amzn1.i686
src:
postgresql8-8.4.20-1.44.amzn1.src
x86_64:
postgresql8-pltcl-8.4.20-1.44.amzn1.x86_64
postgresql8-contrib-8.4.20-1.44.amzn1.x86_64
postgresql8-server-8.4.20-1.44.amzn1.x86_64
postgresql8-plpython-8.4.20-1.44.amzn1.x86_64
postgresql8-8.4.20-1.44.amzn1.x86_64
postgresql8-libs-8.4.20-1.44.amzn1.x86_64
postgresql8-debuginfo-8.4.20-1.44.amzn1.x86_64
postgresql8-plperl-8.4.20-1.44.amzn1.x86_64
postgresql8-docs-8.4.20-1.44.amzn1.x86_64
postgresql8-test-8.4.20-1.44.amzn1.x86_64
postgresql8-devel-8.4.20-1.44.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2014-305.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU41873
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-0061
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
postgresql8-libs-8.4.20-1.44.amzn1.i686
postgresql8-test-8.4.20-1.44.amzn1.i686
postgresql8-plpython-8.4.20-1.44.amzn1.i686
postgresql8-debuginfo-8.4.20-1.44.amzn1.i686
postgresql8-pltcl-8.4.20-1.44.amzn1.i686
postgresql8-devel-8.4.20-1.44.amzn1.i686
postgresql8-plperl-8.4.20-1.44.amzn1.i686
postgresql8-contrib-8.4.20-1.44.amzn1.i686
postgresql8-8.4.20-1.44.amzn1.i686
postgresql8-server-8.4.20-1.44.amzn1.i686
postgresql8-docs-8.4.20-1.44.amzn1.i686
src:
postgresql8-8.4.20-1.44.amzn1.src
x86_64:
postgresql8-pltcl-8.4.20-1.44.amzn1.x86_64
postgresql8-contrib-8.4.20-1.44.amzn1.x86_64
postgresql8-server-8.4.20-1.44.amzn1.x86_64
postgresql8-plpython-8.4.20-1.44.amzn1.x86_64
postgresql8-8.4.20-1.44.amzn1.x86_64
postgresql8-libs-8.4.20-1.44.amzn1.x86_64
postgresql8-debuginfo-8.4.20-1.44.amzn1.x86_64
postgresql8-plperl-8.4.20-1.44.amzn1.x86_64
postgresql8-docs-8.4.20-1.44.amzn1.x86_64
postgresql8-test-8.4.20-1.44.amzn1.x86_64
postgresql8-devel-8.4.20-1.44.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2014-305.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Race condition
EUVDB-ID: #VU41874
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-0062
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
postgresql8-libs-8.4.20-1.44.amzn1.i686
postgresql8-test-8.4.20-1.44.amzn1.i686
postgresql8-plpython-8.4.20-1.44.amzn1.i686
postgresql8-debuginfo-8.4.20-1.44.amzn1.i686
postgresql8-pltcl-8.4.20-1.44.amzn1.i686
postgresql8-devel-8.4.20-1.44.amzn1.i686
postgresql8-plperl-8.4.20-1.44.amzn1.i686
postgresql8-contrib-8.4.20-1.44.amzn1.i686
postgresql8-8.4.20-1.44.amzn1.i686
postgresql8-server-8.4.20-1.44.amzn1.i686
postgresql8-docs-8.4.20-1.44.amzn1.i686
src:
postgresql8-8.4.20-1.44.amzn1.src
x86_64:
postgresql8-pltcl-8.4.20-1.44.amzn1.x86_64
postgresql8-contrib-8.4.20-1.44.amzn1.x86_64
postgresql8-server-8.4.20-1.44.amzn1.x86_64
postgresql8-plpython-8.4.20-1.44.amzn1.x86_64
postgresql8-8.4.20-1.44.amzn1.x86_64
postgresql8-libs-8.4.20-1.44.amzn1.x86_64
postgresql8-debuginfo-8.4.20-1.44.amzn1.x86_64
postgresql8-plperl-8.4.20-1.44.amzn1.x86_64
postgresql8-docs-8.4.20-1.44.amzn1.x86_64
postgresql8-test-8.4.20-1.44.amzn1.x86_64
postgresql8-devel-8.4.20-1.44.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2014-305.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Stack-based buffer overflow
EUVDB-ID: #VU41875
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-0063
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
postgresql8-libs-8.4.20-1.44.amzn1.i686
postgresql8-test-8.4.20-1.44.amzn1.i686
postgresql8-plpython-8.4.20-1.44.amzn1.i686
postgresql8-debuginfo-8.4.20-1.44.amzn1.i686
postgresql8-pltcl-8.4.20-1.44.amzn1.i686
postgresql8-devel-8.4.20-1.44.amzn1.i686
postgresql8-plperl-8.4.20-1.44.amzn1.i686
postgresql8-contrib-8.4.20-1.44.amzn1.i686
postgresql8-8.4.20-1.44.amzn1.i686
postgresql8-server-8.4.20-1.44.amzn1.i686
postgresql8-docs-8.4.20-1.44.amzn1.i686
src:
postgresql8-8.4.20-1.44.amzn1.src
x86_64:
postgresql8-pltcl-8.4.20-1.44.amzn1.x86_64
postgresql8-contrib-8.4.20-1.44.amzn1.x86_64
postgresql8-server-8.4.20-1.44.amzn1.x86_64
postgresql8-plpython-8.4.20-1.44.amzn1.x86_64
postgresql8-8.4.20-1.44.amzn1.x86_64
postgresql8-libs-8.4.20-1.44.amzn1.x86_64
postgresql8-debuginfo-8.4.20-1.44.amzn1.x86_64
postgresql8-plperl-8.4.20-1.44.amzn1.x86_64
postgresql8-docs-8.4.20-1.44.amzn1.x86_64
postgresql8-test-8.4.20-1.44.amzn1.x86_64
postgresql8-devel-8.4.20-1.44.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2014-305.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Input validation error
EUVDB-ID: #VU41876
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-0064
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
postgresql8-libs-8.4.20-1.44.amzn1.i686
postgresql8-test-8.4.20-1.44.amzn1.i686
postgresql8-plpython-8.4.20-1.44.amzn1.i686
postgresql8-debuginfo-8.4.20-1.44.amzn1.i686
postgresql8-pltcl-8.4.20-1.44.amzn1.i686
postgresql8-devel-8.4.20-1.44.amzn1.i686
postgresql8-plperl-8.4.20-1.44.amzn1.i686
postgresql8-contrib-8.4.20-1.44.amzn1.i686
postgresql8-8.4.20-1.44.amzn1.i686
postgresql8-server-8.4.20-1.44.amzn1.i686
postgresql8-docs-8.4.20-1.44.amzn1.i686
src:
postgresql8-8.4.20-1.44.amzn1.src
x86_64:
postgresql8-pltcl-8.4.20-1.44.amzn1.x86_64
postgresql8-contrib-8.4.20-1.44.amzn1.x86_64
postgresql8-server-8.4.20-1.44.amzn1.x86_64
postgresql8-plpython-8.4.20-1.44.amzn1.x86_64
postgresql8-8.4.20-1.44.amzn1.x86_64
postgresql8-libs-8.4.20-1.44.amzn1.x86_64
postgresql8-debuginfo-8.4.20-1.44.amzn1.x86_64
postgresql8-plperl-8.4.20-1.44.amzn1.x86_64
postgresql8-docs-8.4.20-1.44.amzn1.x86_64
postgresql8-test-8.4.20-1.44.amzn1.x86_64
postgresql8-devel-8.4.20-1.44.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2014-305.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Buffer overflow
EUVDB-ID: #VU41877
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-0065
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
postgresql8-libs-8.4.20-1.44.amzn1.i686
postgresql8-test-8.4.20-1.44.amzn1.i686
postgresql8-plpython-8.4.20-1.44.amzn1.i686
postgresql8-debuginfo-8.4.20-1.44.amzn1.i686
postgresql8-pltcl-8.4.20-1.44.amzn1.i686
postgresql8-devel-8.4.20-1.44.amzn1.i686
postgresql8-plperl-8.4.20-1.44.amzn1.i686
postgresql8-contrib-8.4.20-1.44.amzn1.i686
postgresql8-8.4.20-1.44.amzn1.i686
postgresql8-server-8.4.20-1.44.amzn1.i686
postgresql8-docs-8.4.20-1.44.amzn1.i686
src:
postgresql8-8.4.20-1.44.amzn1.src
x86_64:
postgresql8-pltcl-8.4.20-1.44.amzn1.x86_64
postgresql8-contrib-8.4.20-1.44.amzn1.x86_64
postgresql8-server-8.4.20-1.44.amzn1.x86_64
postgresql8-plpython-8.4.20-1.44.amzn1.x86_64
postgresql8-8.4.20-1.44.amzn1.x86_64
postgresql8-libs-8.4.20-1.44.amzn1.x86_64
postgresql8-debuginfo-8.4.20-1.44.amzn1.x86_64
postgresql8-plperl-8.4.20-1.44.amzn1.x86_64
postgresql8-docs-8.4.20-1.44.amzn1.x86_64
postgresql8-test-8.4.20-1.44.amzn1.x86_64
postgresql8-devel-8.4.20-1.44.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2014-305.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) NULL pointer dereference
EUVDB-ID: #VU41878
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2014-0066
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via unspecified vectors.
MitigationUpdate the affected packages:
i686:Vulnerable software versions
postgresql8-libs-8.4.20-1.44.amzn1.i686
postgresql8-test-8.4.20-1.44.amzn1.i686
postgresql8-plpython-8.4.20-1.44.amzn1.i686
postgresql8-debuginfo-8.4.20-1.44.amzn1.i686
postgresql8-pltcl-8.4.20-1.44.amzn1.i686
postgresql8-devel-8.4.20-1.44.amzn1.i686
postgresql8-plperl-8.4.20-1.44.amzn1.i686
postgresql8-contrib-8.4.20-1.44.amzn1.i686
postgresql8-8.4.20-1.44.amzn1.i686
postgresql8-server-8.4.20-1.44.amzn1.i686
postgresql8-docs-8.4.20-1.44.amzn1.i686
src:
postgresql8-8.4.20-1.44.amzn1.src
x86_64:
postgresql8-pltcl-8.4.20-1.44.amzn1.x86_64
postgresql8-contrib-8.4.20-1.44.amzn1.x86_64
postgresql8-server-8.4.20-1.44.amzn1.x86_64
postgresql8-plpython-8.4.20-1.44.amzn1.x86_64
postgresql8-8.4.20-1.44.amzn1.x86_64
postgresql8-libs-8.4.20-1.44.amzn1.x86_64
postgresql8-debuginfo-8.4.20-1.44.amzn1.x86_64
postgresql8-plperl-8.4.20-1.44.amzn1.x86_64
postgresql8-docs-8.4.20-1.44.amzn1.x86_64
postgresql8-test-8.4.20-1.44.amzn1.x86_64
postgresql8-devel-8.4.20-1.44.amzn1.x86_64
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2014-305.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
