Cloud Foundry Logo
blog single gear
Security Advisory

CVE-2017-7484, 7485, 7486: PostgreSQL vulnerabilities

CVE-2017-7484, 7485, 7486: PostgreSQL vulnerabilities

Severity

High

Vendor

PostgreSQL

Versions Affected

  • PostGreSQL versions:
    • All versions prior to 9.2.21
    • 9.3.x versions prior to 9.3.17
    • 9.4.x versions prior to 9.4.12
    • 9.5.x versions prior to 9.5.7
    • 9.6.x versions prior to 9.6.3

Description

It was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. (CVE-2017-7484)

It was found that the PGREQUIRESSL was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. (CVE-2017-7485)

PostgreSQL versions 8.4 – 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server. (CVE-2017-7486)

Affected Cloud Foundry Products and Versions

Severity is high unless otherwise noted.

  • Postgres-release versions prior to v17
  • Cf-release versions prior to v260

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade to Cloud Foundry v260[1] or later

References

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES