Security Bulletin: IBM Instana Observability is vulnerable to SQL injection due to PostgreSQL driver and toolkit for Go, known as pgx.

Summary

PostgreSQL driver and toolkit for Go, known as pgx is used by IBM Instana Observability (Using third-party datastore Operators) as part of the postgres operator (CVE-2024-27304). This bulletin identifies the steps to take to address the vulnerability.

Vulnerability Details

CVEID:CVE-2024-27304
**DESCRIPTION:**pgx is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 9.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/285113 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

IBM strongly recommends addressing these vulnerabilities now by updating IBM Observability with Instana (Using third-party datastore Operators) to the latest release as described here:

<https://www.ibm.com/docs/en/instana-observability/273?topic=stores-installing-third-party-data-store-operators&gt;

Workarounds and Mitigations

None