From: | Magnus Hagander <magnus(at)hagander(dot)net> |
---|---|
To: | "Rajwade, Abhijit" <Abhijit_Rajwade(at)bmc(dot)com> |
Cc: | "pgsql-bugs(at)lists(dot)postgresql(dot)org" <pgsql-bugs(at)lists(dot)postgresql(dot)org>, "Phadtare, Yogesh" <yogesh_phadtare(at)bmc(dot)com>, "Sanklecha, Akshay" <akshay_sanklecha_tp(at)bmc(dot)com>, "Nambiar, Girish" <Girish_Nambiar(at)bmc(dot)com> |
Subject: | Re: Re: BUG #15731: CVE-2019-9193 |
Date: | 2019-04-03 08:10:21 |
Message-ID: | CABUevEyJQ1CV3_k-C4zeoe93dEUD2SC9MCabV91QbjjHQ6KuUA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
It's absolutely trivial. Don't run as superuser, done.
Again, there is no vulnerability to prevent from. If you explicitly allow
superusers to log in remotely, they can do superuser things. Just like if
you allow "root" to ssh in remotely, people can use that to ssh in as
"root" and do root level things like delete your files.
(The report is of course also simply factually incorrect, because the
pg_read_server_files role has exactly nothing to do with it. Which is also
clearly documented. And you can even tell from the name that it's about
reading files)
You can read some more at
https://blog.hagander.net/when-a-vulnerability-is-not-a-vulnerability-244/
-- which also quotes some relevant parts of the documentation.
//Magnus
On Wed, Apr 3, 2019 at 9:47 AM Rajwade, Abhijit <Abhijit_Rajwade(at)bmc(dot)com>
wrote:
> Magnus,
>
>
>
> If this is mis-configured, can you please advise what configuration is
> needed to prevent this vulnerability?
>
>
>
> Thx & Regards
>
> --- Abhijit Rajwade
>
>
>
> *From:* Magnus Hagander [mailto:magnus(at)hagander(dot)net]
> *Sent:* Wednesday, April 03, 2019 1:13 PM
> *To:* Rajwade, Abhijit; pgsql-bugs(at)lists(dot)postgresql(dot)org
> *Subject:* [EXTERNAL] Re: BUG #15731: CVE-2019-9193
>
>
>
> This is not a security vulnerability in the product. It is behaving
> exactly as intended. It may be misconfigured in some deployments, but it's
> not a product vulnerability.
>
>
>
> /Magnus
>
>
>
> On Wed, Apr 3, 2019, 09:39 PG Bug reporting form <noreply(at)postgresql(dot)org>
> wrote:
>
> The following bug has been logged on the website:
>
> Bug reference: 15731
> Logged by: Abhijit Rajwade
> Email address: abhijit_rajwade(at)bmc(dot)com
> PostgreSQL version: 11.2
> Operating system: Linux
> Description:
>
> Sonatype Nexus Audior is reporting the following Threat level 9
> vulnerability on Postgres
>
> Vulnerability
>
> Issue CVE-2019-9193
> Severity Sonatype CVSS 3.0: 9.8
> Weakness Sonatype CWE: 94
> Source National Vulnerability Database
> Categories Data
>
> Description
>
> Description from CVE
> In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows
> superusers and users in the 'pg_read_server_files' group to execute
> arbitrary code in the context of the database's operating system user. This
> functionality is enabled by default and can be abused to run arbitrary
> operating system commands on Windows, Linux, and macOS.
>
> Root Cause
> postgresql-42.2.5.jar : [9.3, )
>
> Advisories
> Third Party:
>
> https://github.com/iiiusky/vulhub/commit/88c8816c6f8825030ade34c63c745757ca818fc0#diff-ceb08c22f5e392636bdb77b8562ce0fd
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_iiiusky_vulhub_commit_88c8816c6f8825030ade34c63c745757ca818fc0-23diff-2Dceb08c22f5e392636bdb77b8562ce0fd&d=DwMFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=YMNsyLtebRXkkt4cIc2_Idg8UyWFpc17iA1cVv3aUnI&m=-K0JRJBlGTuuKNPFOT56nImUts-Gtf5eAAAmt_625ZU&s=eKdExp9Xa8aDln6x3tTQmtHpEGGUoeefwsnyzN040WI&e=>
> Third Party:
>
> https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__medium.com_greenwolf-2Dsecurity_authenticated-2Darbitrary-2Dcommand-2Dexecution-2Don-2Dpostgresql-2D9-2D3-2Dlatest-2Dcd18945914d5&d=DwMFaQ&c=UrUhmHsiTVT5qkaA4d_oSzcamb9hmamiCDMzBAEwC7E&r=YMNsyLtebRXkkt4cIc2_Idg8UyWFpc17iA1cVv3aUnI&m=-K0JRJBlGTuuKNPFOT56nImUts-Gtf5eAAAmt_625ZU&s=GMbg2EHc2F83s7WadMFL_hnM6QrkOZSQwf78E7Cs7Cc&e=>
>
> CVSS Details
> Sonatype CVSS 3.0: 9.8
> CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>
>
> Can you please have the above Security vulnerability fixed?
>
> --- Abhijit Rajwade
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | r.zharkov | 2019-04-03 08:29:21 | Re: BUG #15727: PANIC: cannot abort transaction 295144144, it was already committed |
Previous Message | Rajwade, Abhijit | 2019-04-03 07:46:57 | RE: Re: BUG #15731: CVE-2019-9193 |