Security Bulletin: Common vulnerabilities fixed in EDB Postgres Advanced Server (EPAS)

Summary Common vulnerabilities fixed in EDB Postgres Advanced Server EPAS Vulnerability Details CVEID:CVE-2023-41113 DESCRIPTION: EnterpriseDB Postgres Advanced Server could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the accesshistory function. By...

Security Bulletin: EDB Postgres Advanced Server (EPAS)

Summary This security bulletin identifies a set of common vulnerabilities that have been addressed in EDB Postgres Advanced Server with IBM 15.4. Vulnerability Details CVEID:CVE-2023-41113 DESCRIPTION: EnterpriseDB Postgres Advanced Server could allow a remote authenticated attacker to obtain...

CVE-2024-4545 EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr

All versions of EnterpriseDB Postgres Advanced Server EPAS from 15.0 prior to 15.7.0 and from 16.0 prior to 16.3.0 may allow users using edbldr to bypass role permissions from pgreadserverfiles. This could allow low privilege users to read files to which they would not otherwise have access...

CVE-2023-31043

EnterpriseDB EDB Postgres Advanced Server EPAS before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edbfilterlog.redactpasswordcommands. The fixed versions are 10.23.33, 11.18.29, 12.13.17,...

Code injection

EnterpriseDB EDB Postgres Advanced Server EPAS before 14.6.0 logs unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edbfilterlog.redactpasswordcommands. The fixed versions are 10.23.33, 11.18.29, 12.13.17,...

CVE-2023-31043

EnterpriseDB EDB Postgres Advanced Server (EPAS) before 14.6.0 stores unredacted passwords in logs when optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, despite redaction being configured via edb_filter_log.redact_password_commands. Affected versions and fixed targets are: 10.x bef...

Security Bulletin: IBM Data Management Platform for EDB Postgres (Standard and Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack

Summary When the IBM Data Management Platform for EDB Postgres Standard for IBM Cloud Pak for Data and IBM Data Management Platform for EDB Postgres Enterprise for IBM Cloud Pak for Data are configured to use trust authentication with a clientcert requirement or to use cert authentication, a...

Security Bulletin: EDB Postgres Advanced Server with IBM and IBM Data Management Platform for EDB Postgres (Standard or Enterprise) for IBM Cloud Pak for Data are vulnerable to SQL injection from "man-in-the-middle" attack.

Summary When the EDB Postgres Advanced Server with IBM, IBM Data Management Platform for EDB Postgres Standard for IBM Cloud Pak for Data, and IBM Data Management Platform for EDB Postgres Enterprise for IBM Cloud Pak for Data are configured to use trust authentication with a clientcert requireme...

Security Bulletin: IBM Data Management Platform for EDB Postgres Standard is vulnerable to denial of service and arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)

Summary IBM Data Management Platform for EnterpriseDB EDB Postgres Standard contains a component called EDB Failover Manager EFM and uses a version of Apache Log4j that impacts high availability in EDB. The upgraded EFM product contains Apache Log4j 2.17.1. Vulnerability Details CVEID:...

Security Bulletin: IBM Data Management Platform for EDB Postgres Enterprise is vulnerable to arbitrary code execution due to Apache Log4j (CVE-2021-45105, CVE-2021-45046)

Summary IBM Data Management Platform for EnterpriseDB EDB Postgres Enterprise contains a component called EDB failover manager EFM and uses a version of log4j that impacts high availability in EDB. The upgraded EFM product contains Apache Log4j 2.17.1. Vulnerability Details CVEID: CVE-2021-45105...

Security Bulletin: EDB PostreSQL with IBM, EDB Postgres Advanced Server with IBM, IBM Data Management Platform (Enterprise, Standard) are vulnerable to an SQL Injection (CVE-2021-23214)

Summary EDB PostreSQL with IBM and EDB Postgres Advanced Server with IBM are vulnerable to an SQL Injection Vulnerability Details CVEID: CVE-2021-23214 DESCRIPTION: PostgreSQL is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements when the server is configur...