===================================================================== CERT-Renater Note d'Information No. 2009/VULN557 _____________________________________________________________________ DATE : 28/12/2009 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Solaris 10, OpenSolaris running PostgreSQL. ====================================================================== http://sunsolve.sun.com/search/document.do?assetkey=1-66-274870-1 ______________________________________________________________________ Security Vulnerabilities in PostgreSQL Shipped With Solaris May Allow Escalation of Privileges or Man-in-the-Middle on SSL Connections Category : Security Release Phase : Workaround Bug Id : 6909139, 6909140, 6909142 Product : Solaris 10 Operating System OpenSolaris Date of Workaround Release : 24-Dec-2009 Security Vulnerabilities in PostgreSQL Shipped With Solaris May Allow Escalation of Privileges or Man-in-the-Middle on SSL Connections 1. Impact Multiple security vulnerabilities have been identified in the PostgreSQL software shipped with Solaris. These vulnerabilities may allow a remote authenticated user with certain privileges to gain extra privileges via a table with a crafted index function. Further vulnerabilities may allow man-in-the-middle attacks on SSL based PostgreSQL servers by substituting malicious SSL certificates for trusted ones. These issues are described in the following documents: Official PostgreSQL annoucement at http://www.postgresql.org/about/news.1170 CVE-2009-4034 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4034 CVE-2009-4136 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4136 2. Contributing Factors These issues can occur in the following releases: SPARC Platform * Solaris 10 6/06 (or later) PostgreSQL 8.1 * Solaris 10 8/07 (or later) PostgreSQL 8.2 * Solaris 10 10/08 (or later) PostgreSQL 8.3 * OpenSolaris PostgreSQL 8.1 based upon builds snv_35 through snv_109 * OpenSolaris PostgreSQL 8.2 based upon builds snv_56 through snv_130 * OpenSolaris PostgreSQL 8.3 based upon builds snv_87 through snv_130 x86 Platform * Solaris 10 6/06 (or later) PostgreSQL 8.1 * Solaris 10 8/07 (or later) PostgreSQL 8.2 * Solaris 10 10/08 (or later) PostgreSQL 8.3 * OpenSolaris PostgreSQL 8.1 based upon builds snv_35 through snv_109 * OpenSolaris PostgreSQL 8.2 based upon builds snv_56 through snv_130 * OpenSolaris PostgreSQL 8.3 based upon builds snv_87 through snv_130 Notes: 1. Solaris 8 and 9 do not ship with PostgreSQL and are not impacted by these issues. 2. A user must have an account on the PostgreSQL server to exploit the issue described in CVE-2009-4136. 3. The CVE-2009-4034 and CVE-2009-4136 issues affect PostgreSQL 7.4.x prior to 7.4.27, 8.0.x prior to 8.0.23, 8.1.x prior to 8.1.19, 8.2.x prior to 8.2.15 and 8.3.x prior to 8.3.9 and versions 8.4.x prior to 8.4.2. 4. PostgreSQL 8.1 (SUNWpostgr), 8.2 (packages beginning with SUNWpostgr-82) and 8.3 (packages beginning with SUNWpostgr-83) can be installed at the same time and are separately impacted by these vulnerabilities. To determine if a version of PostgreSQL is installed, a command such as the following can be used: $ pkginfo | grep SUNWpostgr system SUNWpostgr PostgreSQL 8.1.9 client programs and libraries system SUNWpostgr-82-client PostgreSQL 8.2 client tools To determine if PostgreSQL is running on a server, a command such as the following can be run as the user 'postgres' (or the 'root' user): for PostgreSQL 8.1: $ pg_ctl status -D /var/lib/pgsql/data/ pg_ctl: neither postmaster nor postgres running for PostgreSQL 8.2: $ /usr/postgres/8.2/bin/pg_ctl status -D /var/postgres/8.2/data/ pg_ctl: server is running (PID: 395) for PostgreSQL 8.3: $ /usr/postgres/8.3/bin/pg_ctl status -D /var/postgres/8.3/data/ pg_ctl: server is running (PID: 395) or (where applicable): $ svcs -a | grep postgresql disabled 17:12:37 svc:/application/database/postgresql_83:default_32bit disabled 17:12:37 svc:/application/database/postgresql:version_82 disabled 17:12:37 svc:/application/database/postgresql:version_82_64bit online 17:13:05 svc:/application/database/postgresql_83:default_64bit 3. Symptoms There are no predictable symptoms that would indicate the described issues have been exploited. 4. Workaround To prevent the issue described in CVE-2009-4136 from being freshly exploited, the database administrator can revoke the "create" privilege from users by running the following commands: REVOKE CREATE ON SCHEMA FROM ; or REVOKE CREATE ON TABLESPACE FROM ; Preliminary T-Patches are available for the following releases from http://sunsolve.sun.com/tpatches: SPARC Platform * Solaris 10 6/06 (or later) PostgreSQL 8.1 T-patch T123590-12 * Solaris 10 8/07 (or later) PostgreSQL 8.2 T-patch T136998-08 * Solaris 10 10/08 (or later) PostgreSQL 8.3 T-patch T138826-06 x86 Platform * Solaris 10 6/06 (or later) PostgreSQL 8.1 T-patch T123591-12 * Solaris 10 8/07 (or later) PostgreSQL 8.2 T-patch T136999-08 * Solaris 10 10/08 (or later) PostgreSQL 8.3 T-patch T138827-06 This document refers to one or more preliminary temporary patches (T-Patches) which are designed to address the concerns identified herein. Sun has limited experience with these patches due to their preliminary nature. As such, you should only install the patches on systems meeting the configurations described above. Sun may release full patches at a later date, however, Sun is under no obligation whatsoever to create, release, or distribute any such patch. 5. Resolution These issues are addressed in the following releases: SPARC Platform * OpenSolaris PostgreSQL 8.1 based upon builds snv_110 or later * OpenSolaris PostgreSQL 8.2 based upon builds snv_131 or later * OpenSolaris PostgreSQL 8.3 based upon builds snv_131 or later x86 Platform * OpenSolaris PostgreSQL 8.1 based upon builds snv_110 or later * OpenSolaris PostgreSQL 8.2 based upon builds snv_131 or later * OpenSolaris PostgreSQL 8.3 based upon builds snv_131 or later Note PostgreSQL 8.1 was removed from OpenSolaris snv_110 onwards. A final resolution is pending completion for Solaris 10. For more information on Security Sun Alerts, see Technical Instruction ID 213557. This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2009 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================