(Oracle Issues Fix for Oracle Linux) PostgreSQL Bugs Let Remote Users Bypass Authentication in Certain Cases and Let Remote Authenticated Users Obtain Passwords and Deny Service
SecurityTracker Alert ID: 1039361|
SecurityTracker URL: http://securitytracker.com/id/1039361
(Links to External Site)
Date: Sep 15 2017
Denial of service via network, Disclosure of authentication information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Several vulnerabilities were reported in PostgreSQL. A remote authenticated user can cause denial of service conditions. A remote authenticated user can obtain passwords on the target system. A remote user can gain access to the target system.|
Because libpq and libpq-based connection drivers do not send empty password values to the server during an authentication attempt, setting a target user's password to an empty value effectively disables password authentication for the target user's account when using those specific connection drivers. However, other connection drivers that are not based on libpq may forward an empty password, allowing a remote user to supply an empty password to access the target user's account for accounts that have set an empty password value [CVE-2017-7546].
A remote authenticated user can exploit a flaw in the the foreign data wrapper functionality to view passwords in the pg_user_mappings catalog view [CVE-2017-7547].
A remote authenticated user can exploit an access control flaw in the lo_put() function to change the data in a large object and cause denial of service conditions [CVE-2017-7548].
Chapman Flack, Jeff Janes, Ben de Graaff, Jelte Fennema, and Jeroen van der Ham reported these vulnerabilities.
A remote authenticated user can cause denial of service conditions.|
A remote authenticated user can obtain passwords on the target system.
A remote user can gain access to the target database in certain cases.
Oracle has issued a fix for CVE-2017-7546 and CVE-2017-7547.|
The Oracle Linux advisory is available at:
Vendor URL: linux.oracle.com/errata/ELSA-2017-2728.html (Links to External Site)
Access control error, Authentication error|
|Underlying OS: Linux (Oracle)|
|Underlying OS Comments: 7|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [El-errata] ELSA-2017-2728 Moderate: Oracle Linux 7 postgresql security update|
Oracle Linux Security Advisory ELSA-2017-2728
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
Description of changes:
- update to 9.2.23 per release notes
- update to 9.2.22 per release notes
El-errata mailing list