November 15, 2024 at 02:46AM
A high-severity vulnerability (CVE-2024-10979) in PostgreSQL allows unprivileged users to modify environment variables, potentially enabling arbitrary code execution and information disclosure. With a CVSS score of 8.8, it has been patched in recent PostgreSQL versions. Users are advised to implement strict permissions on extensions and functions.
### Meeting Takeaways – November 15, 2024
**Subject:** Vulnerability / Database Security
**Key Points:**
1. **Security Flaw Disclosure:**
– A high-severity security vulnerability has been identified in the PostgreSQL open-source database system, tracked as CVE-2024-10979.
– CVSS score: **8.8**, indicating a significant risk.
2. **Nature of the Vulnerability:**
– The flaw allows unprivileged users to alter environment variables, which can lead to:
– Code execution.
– Potential information disclosure.
– Specifically, the issue arises from the incorrect control of environment variables in PostgreSQL PL/Perl.
3. **Impact:**
– Attackers can modify sensitive environment variables (such as `PATH`), potentially enabling arbitrary code execution without needing database server OS user privileges.
– The vulnerability could lead to severe security incidents depending on the attack scenario, including extraction of sensitive information through malicious queries.
4. **Affected Versions:**
– The security flaw has been addressed in the following PostgreSQL versions:
– 17.1
– 16.5
– 15.9
– 14.14
– 13.17
– 12.21
5. **Recommended Actions:**
– Organizations are urged to promptly apply the available patches.
– Users should restrict allowed extensions by:
– Limiting `CREATE EXTENSIONS` permission to specific extensions.
– Configuring `shared_preload_libraries` to load only required extensions.
– Implementing the principle of least privilege by restricting `CREATE FUNCTION` permissions.
6. **Caution:**
– Additional details regarding the vulnerability are being withheld temporarily to allow users to apply the necessary fixes.
**Next Steps:**
– Ensure timely updates to PostgreSQL systems.
– Implement recommended security measures to mitigate risks associated with this vulnerability.
—
For more updates and insights, feel free to follow our channels on Twitter and LinkedIn.