Security Bulletin: Extension script @substitutions@ within quoting allow SQL injection in EDB PostgresSQL

Summary

Per CVE-2023-39417, extension script @substitutions@ within quoting allow SQL injection in EDB PostgreSQL with IBM, EDB Postgres Advanced Server with IBM and IBM Data Management Platform for EDB Postgres Enterprise for IBM Cloud Pak for Data.

Vulnerability Details

CVEID:CVE-2023-39417
**DESCRIPTION:**PostgreSQL could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the extension script. By sending a specially crafted request using @extowner@, @extschema@, or @extschema:…@ inside a quoting construct, an attacker could exploit this vulnerability to execute arbitrary code as the bootstrap superuser.
CVSS Base score: 7.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/263270 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H)

Affected Products and Versions

IBM Data Management Platform for EDB Postgres Enterprise for IBM Cloud Pak for Data

| All

Remediation/Fixes

• For EDB PostgreSQL with IBM and EDB Postgres Advanced Server with IBM upgrade to v15.4. Download product versions from IBM Passport Advantage Online.
• For EDB Postres Advanced Server with IBM Cloud Pak for Data, upgrade to CP4D 4.7.3 or 4.8.0 or later.

• * Follow the instructions to install or upgrade EDB in the _What's new or changed in EDB Postgres_ in the [IBM Cloud Pak for Data documentation.](<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.7.x?topic=new-edb-postgres>)
  

Workarounds and Mitigations

None