__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Security Vulnerabilities in PostgreSQL [Sun Alert ID: 102825] February 28, 2007 20:00 GMT Number R-167 [REVISED 15 Mar 2007] ______________________________________________________________________________ PROBLEM: Two security vulnerabilities in the PostgreSQL database server (see postgres(1)) may allow local or remote PostgreSQL users the ability to cause the PostgreSQL server to crash or access restricted database content. PLATFORM: Solaris 10 Operating System RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) DAMAGE: May allow local or remote PostgreSWL users the ability to cause the PostgreSQL server to crash or access restricted database content. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. May allow local or remote PostgreSWL users ASSESSMENT: the ability to cause the PostgreSQL server to crash or access restricted database content. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-167.shtml ORIGINAL BULLETIN: http://www.sunsolve.sun.com/search/document.do?assetkey= 1-26-102825-1 ADDITIONAL LINK: https://rhn.redhat.com/errata/RHSA-2007-0068.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-0555 CVE-2007-0556 ______________________________________________________________________________ REVISION HISTORY: 03/15/2007 - revised R-167 to add a link to Red Hat RHSA-2007:0068-4 for RHEL Desktop Workstation (v. 5 client), Red Hat Enterprise Linux (v. 5 server), and Red Hat Enterprise Linux Desktop (v. 5 client). [***** Start Sun Alert ID: 102825 *****] Sun(sm) Alert Notification Sun Alert ID: 102825 Synopsis: Two Security Vulnerabilities in PostgreSQL May Allow Denial of Service or Information Leakage Category: Security Product: Solaris 10 Operating System BugIDs: 6520656 Avoidance: Workaround State: Workaround Date Released: 27-Feb-2007 Date Closed: Date Modified: 1. Impact Two security vulnerabilities in the PostgreSQL database server (see postgres(1)) may allow local or remote PostgreSQL users the ability to cause the PostgreSQL server to crash or access restricted database content. The ability to crash the PostgreSQL server is a type of Denial of Service (DoS). These issues are described in the following documents: CVE-2007-0555: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0555 CVE-2007-0556: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0556 PostgreSQL Security Information: http://www.postgresql.org/support/security 2. Contributing Factors These issues can occur in the following releases: SPARC Platform Solaris 10 x86 Platform Solaris 10 Note 1: Solaris 8 and Solaris 9 do not ship with PostgreSQL and are thus not impacted by this issue. Note 2: CVE-2007-0555 affects PostgreSQL versions 7.3 before 7.3.13, 7.4 before 7.4.16, 8.0 before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2. CVE-2007-0556 affects PostgreSQL versions 8.0 before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2. Note 3: Any user exploiting these vulnerabilities must have an account on the SQL server and additional permissions to create or alter objects in the database/schema is necessary for CVE-2007-0555. These permissions are available by default to all such users. Note 4: Solaris 10 6/06 was the first release of Solaris to ship PostgreSQL and it included version 8.1.3. The patches in the "Resolution" section below update PostgreSQL to version 8.1.8. To determine the version of PostgreSQL on the system, the following command can be run: $ /usr/bin/postgres --version postgres (PostgreSQL) 8.1.3 3. Symptoms If the described issue occurs, The PostgreSQL server process may exit unexpectedly with the following messages in the log file: LOG: server process (PID 2917) was terminated by signal 11 LOG: terminating any other active server processes FATAL: the database system is in recovery mode LOG: all server processes terminated; reinitializing LOG: database system was interrupted at 2007-02-09 08:56:28 CET The log file is stored in the "data" directory by default. The following stack trace is indicative of this issue: feb3458b memcpy (2a, 0, 8) + 1b 08119bb7 postquel_execute (83ac8d8, 8046abc, 83ac418, 83129e0) + 7f 08119cf8 fmgr_sql (8046abc) + 91 08114f96 ExecMakeFunctionResult (83abd20, 83abc98, 83ac2a8, 83ac300) + 134 0811574e ExecEvalFunc (83abd20, 83abc98, 83ac2a8, 83ac300) + 31 08117e0a ExecTargetList (83ac178, 83abc98, 83ac298, 83ac2a8, 83ac300, 8046d80) + 6b 081180a8 ExecProject (83ac2b8, 8046d80) + 59 0811fce0 ExecResult (83abc10) + 9c 08113eae ExecProcNode (83abc10) + 162 081129bf ExecutePlan (83abb00, 83abc10, 1, 0, 1, 8355470) + 83 08111fe5 ExecutorRun (83a8fe8, 1, 0) + 53 081852d9 PortalRunSelect (83a6fb8, 1, 0, 8355470) + 177 081850a1 PortalRun (83a6fb8, 7fffffff, 8355470, 8355470, 80470d8) + 2dc 0818187c exec_simple_query (8354e88) + 285 08184179 PostgresMain (4, 82f4a38, 82f4a08) + eee 0816393f BackendRun (830cb10, 830cb10, 1, 45cc292c, 8047d74, 81618db) + 4bd 08163271 BackendStartup (830cb10) + 4b 081618db ServerLoop (313c1, 82f0708, 3, 82f8b48, 3, febb07a7) + 12f 081611b7 PostmasterMain (3, 82f0708) + 9c3 0812c3c5 main (3, 8047de0, 8047df0) + 1e5 0807ef7a ???????? (3, 8047ea0, 8047fe1, 8047fe1, 0, 8047ec5) Solution Summary Top 4. Relief/Workaround To work around the issue described in CVE-2007-0555, remove permissions to create or alter objects in the database schema to all users by using the following command: REVOKE CREATE ON SCHEMA public FROM PUBLIC CASCADE; Note: All users have this permission on public schema by default. For more information about REVOKE command see: http://www.postgresql.org/docs/8.1/interactive/sql-revoke.html There is no workaround for the issue described in CVE-2007-0556. Please see the "Resolution" section below. 5. Resolution A final resolution is pending completion. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. [***** End Sun Alert ID: 102825 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Sun Microsystems for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-156: Buffer Overflow in ServerProtect R-157: Macrovision FLEXnet Connect / InstallShield Update Service Agent R-158: VeriSign Managed PKI Configuration Checker R-159: Macrovision / InstallShield InstallFromTheWeb R-160: McAfee Virex Vulnerability R-161: Stack Overflow in Third-Party ActiveX Controls R-162: Mozilla Firefox has a Memory Corruption R-163: Mozilla Crashes with Evidence of Memory Corruption R-165: Firefox Security Update R-166: Cisco Catalyst 6000, 6500 Series and Cisco 7600 Series NAM (Network Analysis Module) Vulnerability