SB2023090238 - openEuler 22.03 LTS SP1 update for libpq

Description

This security bulletin contains information about 4 vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-2454)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote user to execute arbitrary code on the system.

The vulnerability exists due to improperly imposed security restrictions. A remote database user with   CREATE privilege can bypass protective search_path changes via "CREATE SCHEMA ... schema_element" command and execute arbitrary code on the system.

2) Security features bypass (CVE-ID: CVE-2023-2455)

CWE-ID: CWE-254 - Security Features

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to incomplete fix for #VU40402 (CVE-2016-2193) that did not anticipate a scenario involving function inlining. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications.

This affects only databases that have used CREATE POLICY to define a row security policy.

3) SQL injection (CVE-ID: CVE-2023-39417)

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data within the extension script @substitutions@, which uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-39418)

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to the MERGE command does not properly enforce UPDATE or SELECT row security policies. A remote user can read or update protected data.

Remediation

Install update from vendor's website.

References

• https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1567