JVN#67456481: Pgpool-II vulnerable to information disclosure

Pgpool-II is a cluster management tool. Pgpool-II contains an information disclosure vulnerability (CWE-213) in its query cache function.

Impact

If a database user access a query cache, table data unauthorized for the user may be retrieved.

Solution

Update the Software
Apply the appropriate updates for the respective versions according to the information provided by the developer.
The developer has released the following versions that address the vulnerability.

• Pgpool-II 4.5.4 (4.5 series)
• Pgpool-II 4.4.9 (4.4 series)
• Pgpool-II 4.3.12 (4.3 series)
• Pgpool-II 4.2.19 (4.2 series)
• Pgpool-II 4.1.22 (4.1 series)
  The developer recommends that users should upgrade the software to 4.1 series or later, as 3.2 to 4.0 series are no longer supported (End-of-Support), thus no updates/patches are provided for them.

Apply the workaround
Applying the following workarounds may mitigate the impact of this vulnerability.

• Stop using query cache function (memory_cache_enabled = off)

Products Affected

The following versions of Pgpool-II are affected:

• 4.5.0 to 4.5.3 (4.5 series)
• 4.4.0 to 4.4.8 (4.4 series)
• 4.3.0 to 4.3.11 (4.3 series)
• 4.2.0 to 4.2.18 (4.2 series)
• 4.1.0 to 4.1.21 (4.1 series)
• All versions of 4.0 series
• All versions of 3.7 series
• All versions of 3.6 series
• All versions of 3.5 series
• All versions of 3.4 series
• All versions of 3.3 series
• All versions of 3.2 series