Lucene search

Cloud FoundryCFOUNDRY:1E1BF6E668E5CA3C750779CD1EF64EB2

HistoryJul 25, 2024 - 12:00 a.m.

USN-6802-1: PostgreSQL vulnerability | Cloud Foundry

2024-07-2500:00:00

Cloud Foundry

www.cloudfoundry.org

postgresql

canonical ubuntu

cloud foundry

medium severity

cve-2024-4317

authorization

statistics

mitigation

upgrade

CVSS3

3.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

6.7

Confidence

Low

JSON

Severity

Medium

Vendor

Canonical Ubuntu

Versions Affected

Canonical Ubuntu 22.04

Description

Lukas Fittl discovered that PostgreSQL incorrectly performed authorization in the built-in pg_stats_ext and pg_stats_ext_exprs views. An unprivileged database user can use this issue to read most common values and other statistics from CREATE STATISTICS commands of other users. NOTE: This update will only fix fresh PostgreSQL installations. Current PostgreSQL installations will remain vulnerable to this issue until manual steps are performed. Please see the instructions in the changelog located at /usr/share/doc/postgresql-*/changelog.Debian.gz after the updated packages have been installed, or in the PostgreSQL release notes located here: https://www.postgresql.org/docs/16/release-16-3.html https://www.postgresql.org/docs/15/release-15-7.html https://www.postgresql.org/docs/14/release-14-12.html Update Instructions: Run sudo pro fix USN-6802-1 to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: libecpg-compat3 – 14.12-0ubuntu0.22.04.1 libecpg-dev – 14.12-0ubuntu0.22.04.1 libecpg6 – 14.12-0ubuntu0.22.04.1 libpgtypes3 – 14.12-0ubuntu0.22.04.1 libpq-dev – 14.12-0ubuntu0.22.04.1 libpq5 – 14.12-0ubuntu0.22.04.1 postgresql-14 – 14.12-0ubuntu0.22.04.1 postgresql-client-14 – 14.12-0ubuntu0.22.04.1 postgresql-doc-14 – 14.12-0ubuntu0.22.04.1 postgresql-plperl-14 – 14.12-0ubuntu0.22.04.1 postgresql-plpython3-14 – 14.12-0ubuntu0.22.04.1 postgresql-pltcl-14 – 14.12-0ubuntu0.22.04.1 postgresql-server-dev-14 – 14.12-0ubuntu0.22.04.1 No subscription required

CVEs contained in this USN include: CVE-2024-4317.

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

cflinuxfs4
- All versions prior to 1.99.0
CF Deployment
- All versions prior to 41.0.0

Mitigation

Users of affected products are strongly encouraged to follow the mitigations below.

The Cloud Foundry project recommends upgrading the following releases:

cflinuxfs4
- Upgrade all versions to 1.99.0 or greater
CF Deployment
- Upgrade all versions to 41.0.0 or greater

References

History

2024-07-25: Initial vulnerability report published.

Affected configurations

Vulners

Node

cloudfoundrycflinuxfs4Range<1.99.0

cloudfoundrycf-deploymentRange<41.0.0

VendorProductVersionCPE
cloudfoundrycflinuxfs4*cpe:2.3:a:cloudfoundry:cflinuxfs4:*:*:*:*:*:*:*:*
cloudfoundrycf-deployment*cpe:2.3:a:cloudfoundry:cf-deployment:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
cloudfoundry	cflinuxfs4	*	cpe:2.3:a:cloudfoundry:cflinuxfs4::::::::
cloudfoundry	cf-deployment	*	cpe:2.3:a:cloudfoundry:cf-deployment::::::::