November 14, 2024 at 05:07PM
A vulnerability in the PL/Perl extension of PostgreSQL (CVE-2024-10979) allows users to set arbitrary environment variables, scoring a CVSS 8.8. It can lead to severe security issues such as arbitrary code execution. Affected versions require updates to mitigate risks and should prompt users to review function creation logs.
### Meeting Takeaways:
1. **Vulnerability Identification**:
– A vulnerability in the Postgres language extension PL/Perl was discovered by Varonis.
– The issue allows users to set arbitrary environment variables in PostgreSQL session processes.
2. **Severity and Impact**:
– The vulnerability has a CVSS score of 8.8, indicating high severity.
– Exploitation can lead to severe security risks, including the potential for arbitrary code execution without needing OS-level user access.
3. **Details of the Vulnerability**:
– Tracked as CVE-2024-10979, it enables threat actors to modify sensitive environments and execute additional queries for information gathering.
4. **Affected Versions**:
– Versions prior to PostgreSQL:
– 17.1
– 16.5
– 15.9
– 14.14
– 13.17
– 12.21
– These versions are vulnerable and should be updated.
5. **Mitigation Recommendations**:
– Upgrade to the latest minor version of PostgreSQL as a minimum remedial action.
– Restrict the allowed extensions.
6. **Monitoring and Assessment**:
– Customers should review DDL logs for any unfamiliar function creations that they did not authorize to determine if they have been compromised by this vulnerability.