#VU59043 Memory leak in PostgreSQL


Published: 2021-12-16

Vulnerability identifier: #VU59043

Vulnerability risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3677

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description
The vulnerability allows a remote user to perform DoS attack or gain access to sensitive information.

The vulnerability exists due memory leak during parallel sort operations. A remote user can force the application to leak memory and perform denial of service attack or read arbitrary memory parts on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 13.0 - 13.3, 12.0 - 12.7, 11.0 - 11.12

External links
http://bugzilla.redhat.com/show_bug.cgi?id=2001857
http://www.postgresql.org/docs/release/13.4/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Spectrum Protect Plus
Gentoo update for PostgreSQL
SUSE update for postgresql12
Multiple vulnerabilities in IBM QRadar SIEM
openEuler 22.03 LTS update for libpq
Red Hat Virtualization update for postgresql
Multiple vulnerabilities in IBM Security Guardium
Red Hat Enterprise Linux 8 update for the postgresql:13 module
Red Hat Enterprise Linux 8 update for the postgresql:12 module
Red Hat Software Collections update for rh-postgresql13-postgresql