|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2017-7547: postgresql,postgresql94,postgresql96: pg_user_mappings view discloses passwords to users lacking server privileges | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Marcus Meissner <meissner> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | jsegitz, max, meissner |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | CVSSv3:SUSE:CVE-2017-7547:5.4:(AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) CVSSv2:SUSE:CVE-2017-7547:4.9:(AV:N/AC:M/Au:S/C:P/I:P/A:N) CVSSv3:RedHat:CVE-2017-7486:7.5:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSSv3:RedHat:CVE-2017-7547:7.5:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) maint:running:63834:important maint:released:oes11-sp2:63835 CVSSv3:NVD:CVE-2017-7547:8.8:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSSv2:NVD:CVE-2017-7547:4.0:(AV:N/AC:L/Au:S/C:P/I:N/A:N) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Comment 3
Johannes Segitz
2017-08-01 14:52:58 UTC
https://www.postgresql.org/about/news/1772/ CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges This fix pertains to the usage of the foreign data wrapper functionality, particularly for the user mapping feature. Before this fix, a user had access to see the options in pg_user_mappings even if the user did not have the USAGE permission on the associated foreign server. This meant that a user could see details such as a password that might have been set by the server administrator rather than the user. This fix will only fix the behavior in newly created clusters utilizing initdb. To fix this issue on existing systems, you will need to follow the below steps. For more details, please see the release notes. In your postgresql.conf file, add the following: allow_system_table_mods = true After adding that line, you will need to restart your PostgreSQL cluster. In each database of the cluster, run the following commands as a superuser: SET search_path = pg_catalog; CREATE OR REPLACE VIEW pg_user_mappings AS SELECT U.oid AS umid, S.oid AS srvid, S.srvname AS srvname, U.umuser AS umuser, CASE WHEN U.umuser = 0 THEN 'public' ELSE A.rolname END AS usename, CASE WHEN (U.umuser <> 0 AND A.rolname = current_user AND (pg_has_role(S.srvowner, 'USAGE') OR has_server_privilege(S.oid, 'USAGE'))) OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE')) OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user) THEN U.umoptions ELSE NULL END AS umoptions FROM pg_user_mapping U LEFT JOIN pg_authid A ON (A.oid = U.umuser) JOIN pg_foreign_server S ON (U.umserver = S.oid); You also need to run the command on your template0 and template1 databases, otherwise the vulnerability will exist in future databases that you create. First, you will need to allow template0 to accept connections. In PostgreSQL 9.5 you can run the following: ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true; In PostgreSQL 9.4 and below, you will have to run this command: UPDATE pg_database SET datallowconn = true WHERE datname = 'template0'; Then, in your template0 and template1 databases, run the commands as describe in Step 3 When you are done, you will need to disallow connections from template0. In PostgreSQL 9.5, you can run the following: ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false; In PostgreSQL 9.4 and below, you will have to run the following: UPDATE pg_database SET datallowconn = false WHERE datname = 'template0'; Remove the following line from your postgresql.conf file: allow_system_table_mods = false Restart your PostgreSQL cluster For more details, please see the release notes. This is an autogenerated message for OBS integration: This bug (1051685) was mentioned in https://build.opensuse.org/request/show/516109 Factory / postgresql96 https://build.opensuse.org/request/show/516113 Factory / postgresql94 https://build.opensuse.org/request/show/516114 Factory / postgresql93 This is an autogenerated message for OBS integration: This bug (1051685) was mentioned in https://build.opensuse.org/request/show/516149 Factory / postgresql95 SUSE-SU-2017:2236-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1051684,1051685,1053259 CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): postgresql93-9.3.18-25.5.1 SUSE Linux Enterprise Server 12-LTSS (src): postgresql93-9.3.18-25.5.1 SUSE-SU-2017:2258-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1051684,1051685,1053259 CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): postgresql94-libs-9.4.13-0.23.5.1 SUSE Linux Enterprise Server 11-SP4 (src): postgresql94-9.4.13-0.23.5.1, postgresql94-libs-9.4.13-0.23.5.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): postgresql94-9.4.13-0.23.5.1, postgresql94-libs-9.4.13-0.23.5.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): postgresql94-9.4.13-0.23.5.1, postgresql94-libs-9.4.13-0.23.5.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): postgresql94-9.4.13-0.23.5.1, postgresql94-libs-9.4.13-0.23.5.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): postgresql94-9.4.13-0.23.5.1 openSUSE-SU-2017:2306-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1051684,1051685,1053259 CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548 Sources used: openSUSE Leap 42.3 (src): postgresql93-9.3.18-8.1, postgresql93-libs-9.3.18-8.1 openSUSE Leap 42.2 (src): postgresql93-9.3.18-5.12.1, postgresql93-libs-9.3.18-5.12.1 SUSE-SU-2017:2355-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1051684,1051685,1053259 CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548 Sources used: SUSE OpenStack Cloud 6 (src): postgresql94-9.4.13-21.5.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): postgresql94-libs-9.4.13-21.5.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): postgresql94-9.4.13-21.5.1 SUSE Linux Enterprise Server for SAP 12 (src): postgresql94-9.4.13-21.5.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): postgresql94-9.4.13-21.5.1 SUSE Linux Enterprise Server 12-SP2 (src): postgresql94-9.4.13-21.5.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): postgresql94-9.4.13-21.5.1 SUSE Linux Enterprise Server 12-LTSS (src): postgresql94-9.4.13-21.5.1 SUSE Linux Enterprise Desktop 12-SP2 (src): postgresql94-9.4.13-21.5.1 SUSE-SU-2017:2356-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1051684,1051685,1053259 CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548 Sources used: SUSE OpenStack Cloud 6 (src): postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1 SUSE Linux Enterprise Software Development Kit 12-SP3 (src): postgresql96-libs-9.6.4-3.6.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): postgresql96-libs-9.6.4-3.6.1 SUSE Linux Enterprise Server for SAP 12-SP1 (src): postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1 SUSE Linux Enterprise Server for SAP 12 (src): postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1 SUSE Linux Enterprise Server 12-SP3 (src): postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1 SUSE Linux Enterprise Server 12-SP2 (src): postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1 SUSE Linux Enterprise Server 12-SP1-LTSS (src): postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1 SUSE Linux Enterprise Server 12-LTSS (src): postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1 SUSE Linux Enterprise Desktop 12-SP3 (src): postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1 SUSE Linux Enterprise Desktop 12-SP2 (src): postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1 openSUSE-SU-2017:2391-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1051684,1051685,1053259 CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548 Sources used: openSUSE Leap 42.3 (src): postgresql96-9.6.4-6.1, postgresql96-libs-9.6.4-6.1 openSUSE Leap 42.2 (src): postgresql96-9.6.4-5.1, postgresql96-libs-9.6.4-5.1 openSUSE-SU-2017:2392-1: An update that fixes three vulnerabilities is now available. Category: security (important) Bug References: 1051684,1051685,1053259 CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548 Sources used: openSUSE Leap 42.3 (src): postgresql94-9.4.13-12.1, postgresql94-libs-9.4.13-12.1 openSUSE Leap 42.2 (src): postgresql94-9.4.13-9.9.1, postgresql94-libs-9.4.13-9.9.1 released This is an autogenerated message for OBS integration: This bug (1051685) was mentioned in https://build.opensuse.org/request/show/578690 42.3 / postgresql95 openSUSE-SU-2018:0529-1: An update that solves 6 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1051684,1051685,1053259,1067841,1067844,1077983,1079757 CVE References: CVE-2017-15098,CVE-2017-15099,CVE-2017-7546,CVE-2017-7547,CVE-2017-7548,CVE-2018-1053 Sources used: openSUSE Leap 42.3 (src): postgresql95-9.5.11-2.3.1, postgresql95-libs-9.5.11-2.3.1 |