postgresql: Multiple vulnerabilities (CVE-2020-25694, CVE-2020-25695, CVE-2020-25696)
CVE-2020-25694: Reconnection can downgrade connection security settings
Many PostgreSQL-provided client applications have options that create additional database connections. Some of those applications reuse only the basic connection parameters (e.g. host, user, port), dropping others. If this drops a security-relevant parameter (e.g. channel_binding, sslmode, requirepeer, gssencmode), the attacker has an opportunity to complete a MITM attack or observe cleartext transmission. Versions Affected: 9.5 - 13. The security team typically does not test unsupported versions, but this problem is quite old.
Fixed In Version:
PostgreSQL 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24
References:
- https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/
- https://nvd.nist.gov/vuln/detail/CVE-2020-25694
CVE-2020-25695: Multiple features escape "security restricted operation" sandbox
An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. While promptly updating PostgreSQL is the best remediation for most users, a user unable to do that can work around the vulnerability by disabling autovacuum and not manually running ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a restore from output of the pg_dump command. Performance may degrade quickly under this workaround. Versions Affected: 9.5 - 13. The security team typically does not test unsupported versions, but this problem is quite old.
Fixed In Version:
PostgreSQL 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24
References:
- https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/
- https://nvd.nist.gov/vuln/detail/CVE-2020-25695
CVE-2020-25696: psql's \gset allows overwriting specially treated variables
The \gset meta-command, which sets psql variables based on query results, does not distinguish variables that control psql behavior. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. Using \gset with a prefix not found among specially treated variables, e.g. any lowercase string, precludes the attack in an unpatched psql. Versions Affected: 9.5 - 13. The security team typically does not test unsupported versions, but this problem likely arrived with the feature's debut in version 9.3.
Fixed In Version:
PostgreSQL 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24
References:
- https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/
- https://nvd.nist.gov/vuln/detail/CVE-2020-25696
Affected branches:
-
master (cebc594a) -
3.12-stable -
3.11-stable -
3.10-stable -
3.9-stable