KLA11539 Multiple vulnerabilities in PostgreSQL

Multiple vulnerabilities were found in PostgreSQL. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information, bypass security restrictions.

Below is a complete list of vulnerabilities:

1. A vulnerability in PostgreSQL can be exploited to execute arbitrary code;
2. Memory disclosure vulnerability in PostgreSQL can be exploited via reading arbitrary bytes of server memory to obtain sensitive information;
3. A vulnerability in EnterpriseDB Windows installer can be exploited via writing PostgreSQL superuser password to unprotected temporary file to bypass security restrictions;
4. A vulnerability in EnterpriseDB Windows installer can be exploited via bundling OpenSSL executes code from unprotected directory to bypass security restrictions;

Original advisories

PostgreSQL 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24, and 12 Beta 3 Released!

Related products

PostgreSQL

CVE list

CVE-2019-10208 high

CVE-2019-10209 warning

CVE-2019-10210 warning

CVE-2019-10211 critical

Solution

Update to the latest version

Download PostgreSQL

Impacts

• ACE

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

• OSI

Obtain sensitive information. Exploitation of vulnerabilities with this impact can lead to capturing by abuser information, critical for user or system.

• SB

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.

• PE

Privilege escalation. Exploitation of vulnerabilities with this impact can lead to performing by abuser actions, which are normally disallowed for current role.