Risk | Low |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2017-7484 CVE-2017-7486 |
CWE-ID | CWE-200 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Amazon Linux AMI Operating systems & Components / Operating system |
Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU6892
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7484
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to improper privilege checking before providing information from pg_statistic. A remote attacker can send a specially crafted request to bypass SELECT privilege checks, cause memory leak and steal some information from ostensibly restricted tables.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
i686:Vulnerable software versions
postgresql92-plperl-9.2.21-1.60.amzn1.i686
postgresql92-server-9.2.21-1.60.amzn1.i686
postgresql92-libs-9.2.21-1.60.amzn1.i686
postgresql92-9.2.21-1.60.amzn1.i686
postgresql92-plpython26-9.2.21-1.60.amzn1.i686
postgresql92-pltcl-9.2.21-1.60.amzn1.i686
postgresql92-docs-9.2.21-1.60.amzn1.i686
postgresql92-contrib-9.2.21-1.60.amzn1.i686
postgresql92-debuginfo-9.2.21-1.60.amzn1.i686
postgresql92-server-compat-9.2.21-1.60.amzn1.i686
postgresql92-plpython27-9.2.21-1.60.amzn1.i686
postgresql92-devel-9.2.21-1.60.amzn1.i686
postgresql92-test-9.2.21-1.60.amzn1.i686
src:
postgresql92-9.2.21-1.60.amzn1.src
x86_64:
postgresql92-plperl-9.2.21-1.60.amzn1.x86_64
postgresql92-libs-9.2.21-1.60.amzn1.x86_64
postgresql92-pltcl-9.2.21-1.60.amzn1.x86_64
postgresql92-plpython26-9.2.21-1.60.amzn1.x86_64
postgresql92-test-9.2.21-1.60.amzn1.x86_64
postgresql92-server-9.2.21-1.60.amzn1.x86_64
postgresql92-9.2.21-1.60.amzn1.x86_64
postgresql92-plpython27-9.2.21-1.60.amzn1.x86_64
postgresql92-debuginfo-9.2.21-1.60.amzn1.x86_64
postgresql92-server-compat-9.2.21-1.60.amzn1.x86_64
postgresql92-contrib-9.2.21-1.60.amzn1.x86_64
postgresql92-devel-9.2.21-1.60.amzn1.x86_64
postgresql92-docs-9.2.21-1.60.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2017-838.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU6894
Risk: Low
CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-7486
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to improper implementation of pg_user_mappings access qualifications. A remote attacker with USAGE privilege on the associated foreign server can send a specially crafted request to trigger memory leak in pg_user_mappings view and disclose foreign server passwords.
Successful exploitation of the vulnerability results in information disclosure.
Update the affected packages.
i686:Vulnerable software versions
postgresql92-plperl-9.2.21-1.60.amzn1.i686
postgresql92-server-9.2.21-1.60.amzn1.i686
postgresql92-libs-9.2.21-1.60.amzn1.i686
postgresql92-9.2.21-1.60.amzn1.i686
postgresql92-plpython26-9.2.21-1.60.amzn1.i686
postgresql92-pltcl-9.2.21-1.60.amzn1.i686
postgresql92-docs-9.2.21-1.60.amzn1.i686
postgresql92-contrib-9.2.21-1.60.amzn1.i686
postgresql92-debuginfo-9.2.21-1.60.amzn1.i686
postgresql92-server-compat-9.2.21-1.60.amzn1.i686
postgresql92-plpython27-9.2.21-1.60.amzn1.i686
postgresql92-devel-9.2.21-1.60.amzn1.i686
postgresql92-test-9.2.21-1.60.amzn1.i686
src:
postgresql92-9.2.21-1.60.amzn1.src
x86_64:
postgresql92-plperl-9.2.21-1.60.amzn1.x86_64
postgresql92-libs-9.2.21-1.60.amzn1.x86_64
postgresql92-pltcl-9.2.21-1.60.amzn1.x86_64
postgresql92-plpython26-9.2.21-1.60.amzn1.x86_64
postgresql92-test-9.2.21-1.60.amzn1.x86_64
postgresql92-server-9.2.21-1.60.amzn1.x86_64
postgresql92-9.2.21-1.60.amzn1.x86_64
postgresql92-plpython27-9.2.21-1.60.amzn1.x86_64
postgresql92-debuginfo-9.2.21-1.60.amzn1.x86_64
postgresql92-server-compat-9.2.21-1.60.amzn1.x86_64
postgresql92-contrib-9.2.21-1.60.amzn1.x86_64
postgresql92-devel-9.2.21-1.60.amzn1.x86_64
postgresql92-docs-9.2.21-1.60.amzn1.x86_64
Amazon Linux AMI: All versions
External linkshttp://alas.aws.amazon.com/ALAS-2017-838.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.