#VU6893 Man-in-the-middle attack in PostgreSQL


Published: 2017-06-02 | Updated: 2017-06-05

Vulnerability identifier: #VU6893

Vulnerability risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7485

CWE-ID: CWE-300

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description
The vulnerability allows a remote attacker to conduct a man-in-the-middle attack.

The weakness exists in the PGREQUIRESSL environment due to no enforcement of a SSL/TLS connection to a PostgreSQL server. A remote attacker can launch a man-in-the-middle attack to strip the SSL/TLS protection from a connection between a client and a server and modify the communicated data.

Successful exploitation of the vulnerability results in unauthorized access to sensitive information.

Mitigation
Update to versions 9.3.17, 9.4.12, 9.5.7, 9.6.3.

Vulnerable software versions

PostgreSQL: 9.6.0 - 9.6.2, 9.5.1 - 9.5.6, 9.4.0 - 9.4.11, 9.3.1 - 9.3.16

External links
http://www.postgresql.org/about/news/1746/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for PostgreSQL
Red Hat update for rh-postgresql95-postgresql
Red Hat update for PostgreSQL
Amazon Linux AMI update for postgresql93, postgresql94, postgresql95
Man-in-the-middle attack in postgresql (Alpine package)
Arch Linux update for postgresql
Arch Linux update for postgresql-libs
Debian update for postgresql-9.4