Denial of service in PostgreSQL

#VU10437 Denial of service in PostgreSQL

Published: 2018-02-09 | Updated: 2018-02-13

Vulnerability identifier: #VU10437

Vulnerability risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1052

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description
The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists due to improper processing of partition keys that contains multiple expressions. A remote attacker can send specially crafted input and cause the application to crash.

Mitigation
Update to version 10.2.

Vulnerable software versions

PostgreSQL: 10.0 - 10.1

External links
http://www.postgresql.org/docs/current/static/release-10-2.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Denial of service in postgresql (Alpine package)

Multiple vulnerabilities in PostgreSQL