CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
44.0%
Pgpool-II is cluster management tool. Pgpool-II contains an information disclosure vulnerability (CWE-200) in its watchdog function.
Note that, only systems that meet all of the following setting requirements are affected by this vulnerability.
Watchdog function is enabled (use_watchdog = on
) “query mode” is used for the alive monitoring of watchdog (wd_lifecheck_method = 'query'
) Plain text password is set for wd_lifecheck_password
A specific database user’s authentication information may be obtained by another database user.
As a result, the information stored in the database may be altered and/or database may be suspended by an attacker who logged in with the obtained credentials.
Update the Software
Update to the latest version according to the information provided by the developer.
The developer has released the following versions that address the vulnerability.
Apply the workaround
Applying the following workarounds may mitigate the impacts of this vulnerability.
Pgpool-II 3.3 series to 3.7 series
Stop using watchdog function (use_watchdog = off
)
Set as follows:
wd_lifecheck_method = 'heartbeat'
Stop using watchdog function (use_watchdog = off
)
Set as follows:
wd_lifecheck_method = 'heartbeat'
Set encrypted password with AES for wd_lifecheck_password
Set null characters for wd_lifecheck_password
and the password to pool_passwd file
The following versions of Pgpool-II are affected: