The Latest in IT Security

PostgreSQL Denial of Service Vulnerability Found and Patched

27
Feb
2013

PostgreSQL is a fully featured object-relational database management system. It supports a large part of the SQL standard and is designed to be extensible by users in many aspects.  Graphical user interfaces and bindings for many programming languages are available as well.

Earlier this month, I discovered a denial of service vulnerability in versions of PostgreSQL that caused a crash if a function was called with invalid arguments in a SQL query. In theory, one could examine the contents of the server’s memory after the crash using this vulnerability. Currently, no threats in the wild are exploiting this vulnerability.

The following versions of PostgreSQL are vulnerable:

  • 8.3.x before 8.3.23
  • 8.4.x before 8.4.16
  • 9.0.x before 9.0.12
  • 9.1.x before 9.1.8
  • 9.2.x before 9.2.3

The function in question is the  enum_recv function, which is not properly declared in backend/utils/adt/enum.c. The current fix bars calling the function from SQL; the declaration of the function will be fixed in a future release by PostgreSQL. The function should accept inputs of the type “internal” not as “cstring”.

PostgreSQL has released updates to patch this vulnerability. We strongly urge administrators to update their servers to the appropriate version as soon as possible. The patched versions are:

  • 8.3.23
  • 8.4.16
  • 9.0.12
  • 9.1.8
  • 9.2.3

In addition, the following Deep Security rule can be used to protect against this threat:

  • 1005393 – PostgreSQL “enum_recv()” Denial Of Service Vulnerability

Leave a reply


Categories

TUESDAY, SEPTEMBER 29, 2020
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments