SB2017120610 - Amazon Linux AMI update for postgresql92, postgresql93, postgresql94
Published: December 6, 2017
Security Bulletin ID
SB2017120610
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Improper access control (CVE-ID: CVE-2017-12172)
The vulnerability allows a local attacker to cause DoS condition or obtain potentially sensitive information on a targeted system.The weakness exists due to a flaw in certain non-default startup scripts. A local attacker with the privileges of the database server can create a symbolic link from the $PGLOG file to a critical file and modify the target file.
2) Data handling (CVE-ID: CVE-2017-15098)
The vulnerability allows a remote authenticated attacker to cause DoS condition or obtain potentially sensitive information on a targeted system.The weakness exists due to improper data handling. A remote attacker can send specially crafted data to trigger a rowtype mismatch in json{b}_populate_recordset(), cause the application to crash or read arbitrary data.
Remediation
Install update from vendor's website.