Lucene search

K
amazonAmazonALAS-2017-931
HistoryDec 05, 2017 - 10:19 p.m.

Medium: postgresql92, postgresql93, postgresql94

2017-12-0522:19:00
alas.aws.amazon.com
26

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS

0.008

Percentile

81.2%

Issue Overview:

Privilege escalation flaws were found in the initialization scripts of PostgreSQL. A remote attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.( CVE-2017-12172)

Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL can crash the server or disclose a few bytes of server memory.(CVE-2017-15098)

Affected Packages:

postgresql92, postgresql93, postgresql94

Issue Correction:
Run yum update postgresql92 to update your system.
Run yum update postgresql93 to update your system.
Run yum update postgresql94 to update your system.

New Packages:

i686:  
    postgresql92-plperl-9.2.24-1.65.amzn1.i686  
    postgresql92-debuginfo-9.2.24-1.65.amzn1.i686  
    postgresql92-server-compat-9.2.24-1.65.amzn1.i686  
    postgresql92-plpython27-9.2.24-1.65.amzn1.i686  
    postgresql92-devel-9.2.24-1.65.amzn1.i686  
    postgresql92-server-9.2.24-1.65.amzn1.i686  
    postgresql92-libs-9.2.24-1.65.amzn1.i686  
    postgresql92-contrib-9.2.24-1.65.amzn1.i686  
    postgresql92-9.2.24-1.65.amzn1.i686  
    postgresql92-test-9.2.24-1.65.amzn1.i686  
    postgresql92-pltcl-9.2.24-1.65.amzn1.i686  
    postgresql92-plpython26-9.2.24-1.65.amzn1.i686  
    postgresql92-docs-9.2.24-1.65.amzn1.i686  
    postgresql94-plpython27-9.4.15-1.73.amzn1.i686  
    postgresql94-debuginfo-9.4.15-1.73.amzn1.i686  
    postgresql94-docs-9.4.15-1.73.amzn1.i686  
    postgresql94-libs-9.4.15-1.73.amzn1.i686  
    postgresql94-devel-9.4.15-1.73.amzn1.i686  
    postgresql94-server-9.4.15-1.73.amzn1.i686  
    postgresql94-plperl-9.4.15-1.73.amzn1.i686  
    postgresql94-9.4.15-1.73.amzn1.i686  
    postgresql94-test-9.4.15-1.73.amzn1.i686  
    postgresql94-plpython26-9.4.15-1.73.amzn1.i686  
    postgresql94-contrib-9.4.15-1.73.amzn1.i686  
    postgresql93-pltcl-9.3.20-1.69.amzn1.i686  
    postgresql93-test-9.3.20-1.69.amzn1.i686  
    postgresql93-plpython26-9.3.20-1.69.amzn1.i686  
    postgresql93-libs-9.3.20-1.69.amzn1.i686  
    postgresql93-server-9.3.20-1.69.amzn1.i686  
    postgresql93-docs-9.3.20-1.69.amzn1.i686  
    postgresql93-contrib-9.3.20-1.69.amzn1.i686  
    postgresql93-devel-9.3.20-1.69.amzn1.i686  
    postgresql93-debuginfo-9.3.20-1.69.amzn1.i686  
    postgresql93-plpython27-9.3.20-1.69.amzn1.i686  
    postgresql93-9.3.20-1.69.amzn1.i686  
    postgresql93-plperl-9.3.20-1.69.amzn1.i686  
  
src:  
    postgresql92-9.2.24-1.65.amzn1.src  
    postgresql94-9.4.15-1.73.amzn1.src  
    postgresql93-9.3.20-1.69.amzn1.src  
  
x86_64:  
    postgresql92-docs-9.2.24-1.65.amzn1.x86_64  
    postgresql92-plpython27-9.2.24-1.65.amzn1.x86_64  
    postgresql92-test-9.2.24-1.65.amzn1.x86_64  
    postgresql92-9.2.24-1.65.amzn1.x86_64  
    postgresql92-server-compat-9.2.24-1.65.amzn1.x86_64  
    postgresql92-pltcl-9.2.24-1.65.amzn1.x86_64  
    postgresql92-plperl-9.2.24-1.65.amzn1.x86_64  
    postgresql92-devel-9.2.24-1.65.amzn1.x86_64  
    postgresql92-server-9.2.24-1.65.amzn1.x86_64  
    postgresql92-libs-9.2.24-1.65.amzn1.x86_64  
    postgresql92-contrib-9.2.24-1.65.amzn1.x86_64  
    postgresql92-plpython26-9.2.24-1.65.amzn1.x86_64  
    postgresql92-debuginfo-9.2.24-1.65.amzn1.x86_64  
    postgresql94-contrib-9.4.15-1.73.amzn1.x86_64  
    postgresql94-plperl-9.4.15-1.73.amzn1.x86_64  
    postgresql94-devel-9.4.15-1.73.amzn1.x86_64  
    postgresql94-server-9.4.15-1.73.amzn1.x86_64  
    postgresql94-libs-9.4.15-1.73.amzn1.x86_64  
    postgresql94-plpython26-9.4.15-1.73.amzn1.x86_64  
    postgresql94-debuginfo-9.4.15-1.73.amzn1.x86_64  
    postgresql94-plpython27-9.4.15-1.73.amzn1.x86_64  
    postgresql94-test-9.4.15-1.73.amzn1.x86_64  
    postgresql94-9.4.15-1.73.amzn1.x86_64  
    postgresql94-docs-9.4.15-1.73.amzn1.x86_64  
    postgresql93-server-9.3.20-1.69.amzn1.x86_64  
    postgresql93-devel-9.3.20-1.69.amzn1.x86_64  
    postgresql93-test-9.3.20-1.69.amzn1.x86_64  
    postgresql93-plperl-9.3.20-1.69.amzn1.x86_64  
    postgresql93-plpython27-9.3.20-1.69.amzn1.x86_64  
    postgresql93-docs-9.3.20-1.69.amzn1.x86_64  
    postgresql93-9.3.20-1.69.amzn1.x86_64  
    postgresql93-pltcl-9.3.20-1.69.amzn1.x86_64  
    postgresql93-contrib-9.3.20-1.69.amzn1.x86_64  
    postgresql93-plpython26-9.3.20-1.69.amzn1.x86_64  
    postgresql93-libs-9.3.20-1.69.amzn1.x86_64  
    postgresql93-debuginfo-9.3.20-1.69.amzn1.x86_64  

Additional References

Red Hat: CVE-2017-12172, CVE-2017-15098

Mitre: CVE-2017-12172, CVE-2017-15098

CVSS2

7.2

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

EPSS

0.008

Percentile

81.2%