Vulnerabilities > CVE-2018-1115 - Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
HIGH Summary
postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Accessing Functionality Not Properly Constrained by ACLs In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.
- Privilege Abuse An adversary is able to exploit features of the target that should be reserved for privileged users or administrators but are exposed to use by lower or non-privileged accounts. Access to sensitive information and functionality must be controlled to ensure that only authorized users are able to access these resources. If access control mechanisms are absent or misconfigured, a user may be able to access resources that are intended only for higher level users. An adversary may be able to exploit this to utilize a less trusted account to gain information and perform activities reserved for more trusted accounts. This attack differs from privilege escalation and other privilege stealing attacks in that the adversary never actually escalates their privileges but instead is able to use a lesser degree of privilege to access resources that should be (but are not) reserved for higher privilege accounts. Likewise, the adversary does not exploit trust or subvert systems - all control functionality is working as configured but the configuration does not adequately protect sensitive resources at an appropriate level.
- Directory Indexing An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
- Accessing, Modifying or Executing Executable Files An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
- Exploiting Incorrectly Configured Access Control Security Levels An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. Most commonly, attackers would take advantage of controls that provided too little protection for sensitive activities in order to perform actions that should be denied to them. In some circumstances, an attacker may be able to take advantage of overly restrictive access control policies, initiating denial of services (if an application locks because it unexpectedly failed to be granted access) or causing other legitimate actions to fail due to security. The latter class of attacks, however, is usually less severe and easier to detect than attacks based on inadequate security restrictions. This attack pattern differs from CAPEC 1, "Accessing Functionality Not Properly Constrained by ACLs" in that the latter describes attacks where sensitive functionality lacks access controls, where, in this pattern, the access control is present, but incorrectly configured.
Nessus
NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-659.NASL description This update for postgresql10 fixes the following issues : PostgreSQL 10 was updated to 10.5 : - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-10-5.html A dump/restore is not required for those running 10.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issues fixed : - CVE-2018-1115: Remove public execute privilege from contrib/adminpack last seen 2020-06-01 modified 2020-06-02 plugin id 123286 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123286 title openSUSE Security Update : postgresql10 (openSUSE-2019-659) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2019-659. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(123286); script_version("1.2"); script_cvs_date("Date: 2020/01/30"); script_cve_id("CVE-2018-10915", "CVE-2018-10925", "CVE-2018-1115"); script_name(english:"openSUSE Security Update : postgresql10 (openSUSE-2019-659)"); script_summary(english:"Check for the openSUSE-2019-659 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for postgresql10 fixes the following issues : PostgreSQL 10 was updated to 10.5 : - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-10-5.html A dump/restore is not required for those running 10.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issues fixed : - CVE-2018-1115: Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function pg_logfile_rotate() is a deprecated wrapper for the core function pg_rotate_logfile(). When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate() should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue. After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed (bsc#1091610). - CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199) - CVE-2018-10925: Add missing authorization check on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could have exploited this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could have exploited this to update other columns in the same table (bsc#1104202). This update was imported from the SUSE:SLE-15:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1091610" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1104199" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1104202" ); script_set_attribute( attribute:"see_also", value:"https://www.postgresql.org/about/news/1851/" ); # https://www.postgresql.org/docs/current/static/release-10-5.html script_set_attribute( attribute:"see_also", value:"https://www.postgresql.org/docs/current/release-10-5.html" ); script_set_attribute( attribute:"solution", value:"Update the affected postgresql10 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libecpg6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libecpg6-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libecpg6-32bit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libecpg6-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpq5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpq5-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpq5-32bit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpq5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-contrib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-contrib-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-devel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-plperl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-plperl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-plpython"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-plpython-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-pltcl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-pltcl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-server-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-test"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/10"); script_set_attribute(attribute:"patch_publication_date", value:"2019/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.0", reference:"libecpg6-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"libecpg6-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"libpq5-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"libpq5-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-contrib-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-contrib-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-debugsource-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-devel-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-devel-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-plperl-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-plperl-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-plpython-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-plpython-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-pltcl-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-pltcl-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-server-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-server-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-test-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"libecpg6-32bit-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"libecpg6-32bit-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"libpq5-32bit-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"libpq5-32bit-debuginfo-10.5-lp150.3.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "postgresql10 / postgresql10-contrib / etc"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-955.NASL description This update for postgresql10 fixes the following issues : PostgreSQL 10 was updated to 10.5 : - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-10-5.html A dump/restore is not required for those running 10.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issues fixed : - CVE-2018-1115: Remove public execute privilege from contrib/adminpack last seen 2020-06-05 modified 2018-09-04 plugin id 112269 published 2018-09-04 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112269 title openSUSE Security Update : postgresql10 (openSUSE-2018-955) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-955. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(112269); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-10915", "CVE-2018-10925", "CVE-2018-1115"); script_name(english:"openSUSE Security Update : postgresql10 (openSUSE-2018-955)"); script_summary(english:"Check for the openSUSE-2018-955 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for postgresql10 fixes the following issues : PostgreSQL 10 was updated to 10.5 : - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-10-5.html A dump/restore is not required for those running 10.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issues fixed : - CVE-2018-1115: Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function pg_logfile_rotate() is a deprecated wrapper for the core function pg_rotate_logfile(). When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate() should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue. After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed (bsc#1091610). - CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199) - CVE-2018-10925: Add missing authorization check on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could have exploited this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could have exploited this to update other columns in the same table (bsc#1104202). This update was imported from the SUSE:SLE-15:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1091610" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1104199" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1104202" ); script_set_attribute( attribute:"see_also", value:"https://www.postgresql.org/about/news/1851/" ); # https://www.postgresql.org/docs/current/static/release-10-5.html script_set_attribute( attribute:"see_also", value:"https://www.postgresql.org/docs/current/release-10-5.html" ); script_set_attribute( attribute:"solution", value:"Update the affected postgresql10 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libecpg6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libecpg6-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libecpg6-32bit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libecpg6-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpq5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpq5-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpq5-32bit-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpq5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-contrib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-contrib-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-devel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-plperl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-plperl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-plpython"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-plpython-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-pltcl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-pltcl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-server-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql10-test"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:15.0"); script_set_attribute(attribute:"patch_publication_date", value:"2018/09/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE15\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "15.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE15.0", reference:"libecpg6-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"libecpg6-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"libpq5-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"libpq5-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-contrib-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-contrib-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-debugsource-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-devel-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-devel-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-plperl-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-plperl-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-plpython-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-plpython-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-pltcl-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-pltcl-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-server-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-server-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", reference:"postgresql10-test-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"libecpg6-32bit-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"libecpg6-32bit-debuginfo-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"libpq5-32bit-10.5-lp150.3.3.1") ) flag++; if ( rpm_check(release:"SUSE15.0", cpu:"x86_64", reference:"libpq5-32bit-debuginfo-10.5-lp150.3.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "postgresql10 / postgresql10-contrib / etc"); }NASL family Databases NASL id POSTGRESQL_20181115.NASL description The version of PostgreSQL installed on the remote host is 9.3.x prior to 9.3.23, 9.4.x prior to 9.4.18, 9.5.x prior to 9.5.13, or 9.6.x prior to 9.6.9, or 10.3.x. As such, it is potentially affected by Insecure ACL Remote Issue last seen 2020-06-01 modified 2020-06-02 plugin id 110288 published 2018-06-01 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110288 title PostgreSQL 9.3 < 9.3.23 / 9.4 < 9.4.18 / 9.5 < 9.5.13 / 9.6 < 9.6.9 / 10.3 Insecure ACL Remote Issue code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(110288); script_version("1.4"); script_cvs_date("Date: 2019/11/04"); script_cve_id("CVE-2018-1115"); script_bugtraq_id(104285); script_name(english:"PostgreSQL 9.3 < 9.3.23 / 9.4 < 9.4.18 / 9.5 < 9.5.13 / 9.6 < 9.6.9 / 10.3 Insecure ACL Remote Issue"); script_summary(english:"Checks version of PostgreSQL"); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of PostgreSQL installed on the remote host is 9.3.x prior to 9.3.23, 9.4.x prior to 9.4.18, 9.5.x prior to 9.5.13, or 9.6.x prior to 9.6.9, or 10.3.x. As such, it is potentially affected by Insecure ACL Remote Issue"); script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/about/news/1851/"); script_set_attribute(attribute:"see_also", value:"https://www.us-cert.gov/ncas/bulletins/SB18-134"); script_set_attribute(attribute:"solution", value: "Upgrade to PostgreSQL 9.3.23 / 9.4.18 / 9.5.13 / 9.6.9 / 10.4 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-1115"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/10"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/01"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:postgresql:postgresql"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("postgresql_version.nbin"); script_require_ports("Services/postgresql", 5432); exit(0); } include("audit.inc"); include("backport.inc"); include("global_settings.inc"); include("misc_func.inc"); port = get_service(svc:"postgresql", default:5432, exit_on_fail:TRUE); version = get_kb_item_or_exit('database/'+port+'/postgresql/version'); source = get_kb_item_or_exit('database/'+port+'/postgresql/source'); database = get_kb_item('database/'+port+'/postgresql/database_name'); get_backport_banner(banner:source); if (backported && report_paranoia < 2) audit(AUDIT_BACKPORT_SERVICE, port, 'PostgreSQL server'); ver = split(version, sep:'.'); for (i=0; i < max_index(ver); i++) ver[i] = int(ver[i]); if ( (ver[0] == 9 && ver[1] == 3 && ver[2] < 23) || (ver[0] == 9 && ver[1] == 4 && ver[2] < 18) || (ver[0] == 9 && ver[1] == 5 && ver[2] < 13) || (ver[0] == 9 && ver[1] == 6 && ver[2] < 9) || (ver[0] == 10 && ver[1] < 4) ) { if (report_verbosity > 0) { report = ''; if(database) report += '\n Database name : ' + database ; report += '\n Version source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 9.3.23 / 9.4.18 / 9.5.13 / 9.6.9 / 10.4\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, 'PostgreSQL', port, version);NASL family Fedora Local Security Checks NASL id FEDORA_2018-BD6F9237B5.NASL description update to 9.6.9 per release notes https://www.postgresql.org/docs/9.6/static/release-9-6-9.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-05-23 plugin id 109972 published 2018-05-23 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109972 title Fedora 26 : postgresql (2018-bd6f9237b5) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2018-bd6f9237b5. # include("compat.inc"); if (description) { script_id(109972); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-1115"); script_xref(name:"FEDORA", value:"2018-bd6f9237b5"); script_name(english:"Fedora 26 : postgresql (2018-bd6f9237b5)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "update to 9.6.9 per release notes https://www.postgresql.org/docs/9.6/static/release-9-6-9.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2018-bd6f9237b5" ); # https://www.postgresql.org/docs/9.6/static/release-9-6-9.html script_set_attribute( attribute:"see_also", value:"https://www.postgresql.org/docs/9.6/release-9-6-9.html" ); script_set_attribute( attribute:"solution", value:"Update the affected postgresql package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:postgresql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/10"); script_set_attribute(attribute:"patch_publication_date", value:"2018/05/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/23"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC26", reference:"postgresql-9.6.9-1.fc26")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "postgresql"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-696.NASL description This update for postgresql95 fixes the following issues : - Update to PostgreSQL 9.5.13 : - https://www.postgresql.org/docs/9.5/static/release-9-5-13.html A dump/restore is not required for those running 9.5.X. However, if the function marking mistakes mentioned belowpg_logfile_rotate affect you, you will want to take steps to correct your database catalogs. The functions query_to_xml, cursor_to_xml, cursor_to_xmlschema, query_to_xmlschema, and query_to_xml_and_xmlschema should be marked volatile because they execute user-supplied queries that might contain volatile operations. They were not, leading to a risk of incorrect query optimization. This has been repaired for new installations by correcting the initial catalog data, but existing installations will continue to contain the incorrect markings. Practical use of these functions seems to pose little hazard, but in case of trouble, it can be fixed by manually updating these functions last seen 2020-06-05 modified 2018-07-09 plugin id 110955 published 2018-07-09 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110955 title openSUSE Security Update : postgresql95 (openSUSE-2018-696) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-696. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(110955); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-1115"); script_name(english:"openSUSE Security Update : postgresql95 (openSUSE-2018-696)"); script_summary(english:"Check for the openSUSE-2018-696 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update for postgresql95 fixes the following issues : - Update to PostgreSQL 9.5.13 : - https://www.postgresql.org/docs/9.5/static/release-9-5-13.html A dump/restore is not required for those running 9.5.X. However, if the function marking mistakes mentioned belowpg_logfile_rotate affect you, you will want to take steps to correct your database catalogs. The functions query_to_xml, cursor_to_xml, cursor_to_xmlschema, query_to_xmlschema, and query_to_xml_and_xmlschema should be marked volatile because they execute user-supplied queries that might contain volatile operations. They were not, leading to a risk of incorrect query optimization. This has been repaired for new installations by correcting the initial catalog data, but existing installations will continue to contain the incorrect markings. Practical use of these functions seems to pose little hazard, but in case of trouble, it can be fixed by manually updating these functions' pg_proc entries, for example: ALTER FUNCTION pg_catalog.query_to_xml(text, boolean, boolean, text) VOLATILE. (Note that that will need to be done in each database of the installation.) Another option is to pg_upgrade the database to a version containing the corrected initial data. Security issue fixed : - CVE-2018-1115: Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function pg_logfile_rotate() is a deprecated wrapper for the core function pg_rotate_logfile(). When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate() should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue. After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed. (bsc#1091610)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1091610" ); # https://www.postgresql.org/docs/9.5/static/release-9-5-13.html script_set_attribute( attribute:"see_also", value:"https://www.postgresql.org/docs/9.5/release-9-5-13.html" ); script_set_attribute( attribute:"solution", value:"Update the affected postgresql95 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-contrib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-contrib-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-devel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-libs-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-plperl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-plperl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-plpython"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-plpython-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-pltcl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-pltcl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-server-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql95-test"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/09"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-contrib-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-contrib-debuginfo-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-debuginfo-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-debugsource-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-devel-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-devel-debuginfo-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-libs-debugsource-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-plperl-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-plperl-debuginfo-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-plpython-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-plpython-debuginfo-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-pltcl-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-pltcl-debuginfo-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-server-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-server-debuginfo-9.5.13-2.9.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql95-test-9.5.13-2.9.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "postgresql95-devel / postgresql95-devel-debuginfo / etc"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201810-08.NASL description The remote host is affected by the vulnerability described in GLSA-201810-08 (PostgreSQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PostgreSQL. Please review the referenced CVE identifiers for details. In addition it was discovered that Gentoo’s PostgreSQL installation suffered from a privilege escalation vulnerability due to a runscript which called OpenRC’s checkpath() on a user controlled path and allowed user running PostgreSQL to kill arbitrary processes via PID file manipulation. Impact : A remote attacker could bypass certain client-side connection security features, read arbitrary server memory or alter certain data. In addition, a local attacker could gain privileges or cause a Denial of Service condition by killing arbitrary processes. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 118508 published 2018-10-31 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118508 title GLSA-201810-08 : PostgreSQL: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201810-08. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(118508); script_version("1.1"); script_cvs_date("Date: 2018/10/31 12:28:57"); script_cve_id("CVE-2018-10915", "CVE-2018-10925", "CVE-2018-1115"); script_xref(name:"GLSA", value:"201810-08"); script_name(english:"GLSA-201810-08 : PostgreSQL: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201810-08 (PostgreSQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PostgreSQL. Please review the referenced CVE identifiers for details. In addition it was discovered that Gentoo’s PostgreSQL installation suffered from a privilege escalation vulnerability due to a runscript which called OpenRC’s checkpath() on a user controlled path and allowed user running PostgreSQL to kill arbitrary processes via PID file manipulation. Impact : A remote attacker could bypass certain client-side connection security features, read arbitrary server memory or alter certain data. In addition, a local attacker could gain privileges or cause a Denial of Service condition by killing arbitrary processes. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201810-08" ); script_set_attribute( attribute:"solution", value: "All PostgreSQL users up to 9.3 should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/postgresql-9.3.24:9.3' All PostgreSQL 9.4 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/postgresql-9.4.19:9.4' All PostgreSQL 9.5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/postgresql-9.5.14:9.5' All PostgreSQL 9.6 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/postgresql-9.6.10:9.6' All PostgreSQL 10 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/postgresql-10.5:10'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:postgresql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2018/10/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/10/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-db/postgresql", unaffected:make_list("ge 9.3.24", "ge 9.4.19", "ge 9.5.14", "ge 9.6.10", "ge 10.5"), vulnerable:make_list("lt 10.5"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "PostgreSQL"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-638.NASL description PostgreSQL was updated to 9.6.9 fixing bugs and security issues : Release notes : - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-9-6-9.html A dump/restore is not required for those running 9.6.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issue fixed : - CVE-2018-1115: Remove public execute privilege from contrib/adminpack last seen 2020-06-05 modified 2018-06-18 plugin id 110588 published 2018-06-18 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110588 title openSUSE Security Update : postgresql96 (openSUSE-2018-638) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update openSUSE-2018-638. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(110588); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2018-1115"); script_name(english:"openSUSE Security Update : postgresql96 (openSUSE-2018-638)"); script_summary(english:"Check for the openSUSE-2018-638 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "PostgreSQL was updated to 9.6.9 fixing bugs and security issues : Release notes : - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-9-6-9.html A dump/restore is not required for those running 9.6.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issue fixed : - CVE-2018-1115: Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function pg_logfile_rotate() is a deprecated wrapper for the core function pg_rotate_logfile(). When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate() should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue. After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed. (bsc#1091610) This update was imported from the SUSE:SLE-12:Update update project." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1091610" ); script_set_attribute( attribute:"see_also", value:"https://www.postgresql.org/about/news/1851/" ); # https://www.postgresql.org/docs/current/static/release-9-6-9.html script_set_attribute( attribute:"see_also", value:"https://www.postgresql.org/docs/current/release-9-6-9.html" ); script_set_attribute( attribute:"solution", value:"Update the affected postgresql96 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libecpg6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libecpg6-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libecpg6-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libecpg6-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpq5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpq5-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpq5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:libpq5-debuginfo-32bit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-contrib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-contrib-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-devel-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-libs-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-plperl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-plperl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-plpython"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-plpython-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-pltcl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-pltcl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-server-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:postgresql96-test"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3"); script_set_attribute(attribute:"patch_publication_date", value:"2018/06/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE42.3", reference:"libecpg6-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libecpg6-debuginfo-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libpq5-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"libpq5-debuginfo-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-contrib-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-contrib-debuginfo-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-debuginfo-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-debugsource-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-devel-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-devel-debuginfo-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-libs-debugsource-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-plperl-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-plperl-debuginfo-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-plpython-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-plpython-debuginfo-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-pltcl-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-pltcl-debuginfo-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-server-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-server-debuginfo-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", reference:"postgresql96-test-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libecpg6-32bit-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libecpg6-debuginfo-32bit-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libpq5-32bit-9.6.9-18.1") ) flag++; if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"libpq5-debuginfo-32bit-9.6.9-18.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libecpg6-32bit / libecpg6 / libecpg6-debuginfo-32bit / etc"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2564-1.NASL description This update for postgresql10 fixes the following issues : PostgreSQL 10 was updated to 10.5 : https://www.postgresql.org/about/news/1851/ https://www.postgresql.org/docs/current/static/release-10-5.html A dump/restore is not required for those running 10.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issues fixed: CVE-2018-1115: Remove public execute privilege from contrib/adminpack last seen 2020-03-19 modified 2019-01-02 plugin id 120090 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120090 title SUSE SLED15 / SLES15 Security Update : postgresql10 (SUSE-SU-2018:2564-1) NASL family Fedora Local Security Checks NASL id FEDORA_2018-08550A9006.NASL description update to 10.4 per release notes: https://www.postgresql.org/docs/10/static/release-10-4.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120220 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120220 title Fedora 28 : postgresql (2018-08550a9006) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1119.NASL description A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with last seen 2020-06-10 modified 2018-12-07 plugin id 119478 published 2018-12-07 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119478 title Amazon Linux AMI : postgresql96 (ALAS-2018-1119) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1695-1.NASL description PostgreSQL was updated to 9.6.9 fixing bugs and security issues: Release notes : - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-9-6-9.html A dump/restore is not required for those running 9.6.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issue fixed : - CVE-2018-1115: Remove public execute privilege from contrib/adminpack last seen 2020-06-01 modified 2020-06-02 plugin id 110548 published 2018-06-15 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110548 title SUSE SLED12 / SLES12 Security Update : postgresql96 (SUSE-SU-2018:1695-1) NASL family Fedora Local Security Checks NASL id FEDORA_2018-937C789F2A.NASL description update to 9.6.9 per release notes: https://www.postgresql.org/docs/9.6/static/release-9-6-9.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-05-23 plugin id 109971 published 2018-05-23 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109971 title Fedora 27 : postgresql (2018-937c789f2a)
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1115
- http://www.securityfocus.com/bid/104285
- https://access.redhat.com/errata/RHSA-2018:2566
- https://access.redhat.com/errata/RHSA-2018:2565
- https://security.gentoo.org/glsa/201810-08
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commitdiff%3Bh=7b34740