Bug 1051685 – VUL-0: CVE-2017-7547: postgresql,postgresql94,postgresql96: pg_user_mappings view discloses passwords to users lacking server privileges

Bug 1051685 - (CVE-2017-7547) VUL-0: CVE-2017-7547: postgresql,postgresql94,postgresql96: pg_user_mappings view discloses passwords to users lacking server privileges

(CVE-2017-7547)
Summary:	VUL-0: CVE-2017-7547: postgresql,postgresql94,postgresql96: pg_user_mappings ...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv3:SUSE:CVE-2017-7547:5.4:(AV:N/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-08-01 13:36 UTC by Marcus Meissner
Modified:	2018-11-07 16:25 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 3 Johannes Segitz 2017-08-01 14:52:58 UTC

CRD: 2017-08-07

Comment 7 Marcus Meissner 2017-08-10 15:21:50 UTC

https://www.postgresql.org/about/news/1772/

CVE-2017-7547: The "pg_user_mappings" catalog view discloses passwords to users lacking server privileges

This fix pertains to the usage of the foreign data wrapper functionality, particularly for the user mapping feature.

Before this fix, a user had access to see the options in pg_user_mappings even if the user did not have the USAGE permission on the associated foreign server. This meant that a user could see details such as a password that might have been set by the server administrator rather than the user.

This fix will only fix the behavior in newly created clusters utilizing initdb. To fix this issue on existing systems, you will need to follow the below steps. For more details, please see the release notes.

    In your postgresql.conf file, add the following:

    allow_system_table_mods = true

    After adding that line, you will need to restart your PostgreSQL cluster.

    In each database of the cluster, run the following commands as a superuser:

    SET search_path = pg_catalog;
    CREATE OR REPLACE VIEW pg_user_mappings AS
    SELECT
        U.oid       AS umid,
        S.oid       AS srvid,
        S.srvname   AS srvname,
        U.umuser    AS umuser,
        CASE WHEN U.umuser = 0 THEN
            'public'
        ELSE
            A.rolname
        END AS usename,
        CASE WHEN (U.umuser <> 0 AND A.rolname = current_user
                     AND (pg_has_role(S.srvowner, 'USAGE')
                          OR has_server_privilege(S.oid, 'USAGE')))
                    OR (U.umuser = 0 AND pg_has_role(S.srvowner, 'USAGE'))
                    OR (SELECT rolsuper FROM pg_authid WHERE rolname = current_user)
                    THEN U.umoptions
                 ELSE NULL END AS umoptions
    FROM pg_user_mapping U
    LEFT JOIN pg_authid A ON (A.oid = U.umuser)
    JOIN pg_foreign_server S ON (U.umserver = S.oid);

    You also need to run the command on your template0 and template1 databases, otherwise the vulnerability will exist in future databases that you create.

    First, you will need to allow template0 to accept connections. In PostgreSQL 9.5 you can run the following:

    ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

    In PostgreSQL 9.4 and below, you will have to run this command:

    UPDATE pg_database SET datallowconn = true WHERE datname = 'template0';

    Then, in your template0 and template1 databases, run the commands as describe in Step 3

    When you are done, you will need to disallow connections from template0. In PostgreSQL 9.5, you can run the following:

    ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

    In PostgreSQL 9.4 and below, you will have to run the following:

    UPDATE pg_database SET datallowconn = false WHERE datname = 'template0';

    Remove the following line from your postgresql.conf file:

    allow_system_table_mods = false

    Restart your PostgreSQL cluster

For more details, please see the release notes.

Comment 8 Bernhard Wiedemann 2017-08-11 14:05:34 UTC

This is an autogenerated message for OBS integration:
This bug (1051685) was mentioned in
https://build.opensuse.org/request/show/516109 Factory / postgresql96
https://build.opensuse.org/request/show/516113 Factory / postgresql94
https://build.opensuse.org/request/show/516114 Factory / postgresql93

Comment 9 Bernhard Wiedemann 2017-08-11 16:01:14 UTC

This is an autogenerated message for OBS integration:
This bug (1051685) was mentioned in
https://build.opensuse.org/request/show/516149 Factory / postgresql95

Comment 10 Swamp Workflow Management 2017-08-22 19:11:41 UTC

SUSE-SU-2017:2236-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1051684,1051685,1053259
CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    postgresql93-9.3.18-25.5.1
SUSE Linux Enterprise Server 12-LTSS (src):    postgresql93-9.3.18-25.5.1

Comment 11 Swamp Workflow Management 2017-08-25 16:18:53 UTC

SUSE-SU-2017:2258-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1051684,1051685,1053259
CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    postgresql94-libs-9.4.13-0.23.5.1
SUSE Linux Enterprise Server 11-SP4 (src):    postgresql94-9.4.13-0.23.5.1, postgresql94-libs-9.4.13-0.23.5.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    postgresql94-9.4.13-0.23.5.1, postgresql94-libs-9.4.13-0.23.5.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    postgresql94-9.4.13-0.23.5.1, postgresql94-libs-9.4.13-0.23.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    postgresql94-9.4.13-0.23.5.1, postgresql94-libs-9.4.13-0.23.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    postgresql94-9.4.13-0.23.5.1

Comment 12 Swamp Workflow Management 2017-08-31 01:07:11 UTC

openSUSE-SU-2017:2306-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1051684,1051685,1053259
CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
Sources used:
openSUSE Leap 42.3 (src):    postgresql93-9.3.18-8.1, postgresql93-libs-9.3.18-8.1
openSUSE Leap 42.2 (src):    postgresql93-9.3.18-5.12.1, postgresql93-libs-9.3.18-5.12.1

Comment 13 Swamp Workflow Management 2017-09-05 19:07:57 UTC

SUSE-SU-2017:2355-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1051684,1051685,1053259
CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
Sources used:
SUSE OpenStack Cloud 6 (src):    postgresql94-9.4.13-21.5.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    postgresql94-libs-9.4.13-21.5.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    postgresql94-9.4.13-21.5.1
SUSE Linux Enterprise Server for SAP 12 (src):    postgresql94-9.4.13-21.5.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    postgresql94-9.4.13-21.5.1
SUSE Linux Enterprise Server 12-SP2 (src):    postgresql94-9.4.13-21.5.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    postgresql94-9.4.13-21.5.1
SUSE Linux Enterprise Server 12-LTSS (src):    postgresql94-9.4.13-21.5.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    postgresql94-9.4.13-21.5.1

Comment 14 Swamp Workflow Management 2017-09-05 19:08:47 UTC

SUSE-SU-2017:2356-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1051684,1051685,1053259
CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
Sources used:
SUSE OpenStack Cloud 6 (src):    postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    postgresql96-libs-9.6.4-3.6.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    postgresql96-libs-9.6.4-3.6.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1
SUSE Linux Enterprise Server for SAP 12 (src):    postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1
SUSE Linux Enterprise Server 12-SP3 (src):    postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1
SUSE Linux Enterprise Server 12-SP2 (src):    postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1
SUSE Linux Enterprise Server 12-LTSS (src):    postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    postgresql96-9.6.4-3.6.1, postgresql96-libs-9.6.4-3.6.1

Comment 15 Swamp Workflow Management 2017-09-08 16:31:13 UTC

openSUSE-SU-2017:2391-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1051684,1051685,1053259
CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
Sources used:
openSUSE Leap 42.3 (src):    postgresql96-9.6.4-6.1, postgresql96-libs-9.6.4-6.1
openSUSE Leap 42.2 (src):    postgresql96-9.6.4-5.1, postgresql96-libs-9.6.4-5.1

Comment 16 Swamp Workflow Management 2017-09-08 16:31:55 UTC

openSUSE-SU-2017:2392-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1051684,1051685,1053259
CVE References: CVE-2017-7546,CVE-2017-7547,CVE-2017-7548
Sources used:
openSUSE Leap 42.3 (src):    postgresql94-9.4.13-12.1, postgresql94-libs-9.4.13-12.1
openSUSE Leap 42.2 (src):    postgresql94-9.4.13-9.9.1, postgresql94-libs-9.4.13-9.9.1

Comment 17 Marcus Meissner 2018-01-15 10:39:51 UTC

released

Comment 18 Swamp Workflow Management 2018-02-21 13:40:11 UTC

This is an autogenerated message for OBS integration:
This bug (1051685) was mentioned in
https://build.opensuse.org/request/show/578690 42.3 / postgresql95

Comment 19 Swamp Workflow Management 2018-02-22 23:08:45 UTC

openSUSE-SU-2018:0529-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1051684,1051685,1053259,1067841,1067844,1077983,1079757
CVE References: CVE-2017-15098,CVE-2017-15099,CVE-2017-7546,CVE-2017-7547,CVE-2017-7548,CVE-2018-1053
Sources used:
openSUSE Leap 42.3 (src):    postgresql95-9.5.11-2.3.1, postgresql95-libs-9.5.11-2.3.1