Multiple vulnerabilities in PostgreSQL



Published: 2021-11-11
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2021-23214
CVE-2021-23222
CWE-ID CWE-311
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe
PostgreSQL
Server applications / Database software

Vendor PostgreSQL Global Development Group

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Missing Encryption of Sensitive Data

EUVDB-ID: #VU58113

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23214

CWE-ID: CWE-311 - Missing Encryption of Sensitive Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way PostgreSQL handles encrypted connections. When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 14.0, 13.0 - 13.4, 12 - 12.8, 11.0 - 11.13, 10.1 - 10.18, 9.6.0 - 9.6.23


CPE2.3 External links

http://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Missing Encryption of Sensitive Data

EUVDB-ID: #VU58114

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23222

CWE-ID: CWE-311 - Missing Encryption of Sensitive Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way the libpq process in PostgreSQL handles encrypted connections. A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. The attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 14.0, 13.0 - 13.4, 12 - 12.8, 11.0 - 11.13, 10.0 - 10.18, 9.6.0 - 9.6.23


CPE2.3 External links

http://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###