PostgreSQL Releases Security Update Addressing Multiple Vulnerabilities
The PostgreSQL Global Development Group has issued an important update addressing four security vulnerabilities across all supported versions of the popular open-source database system. This includes versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Users are strongly urged to update their installations immediately to mitigate potential risks.
The vulnerabilities range in severity, with the most serious (CVE-2024-10979, CVSS 8.8) enabling arbitrary code execution in the context of the PostgreSQL server. This flaw exists within the PL/Perl procedural language and allows attackers to manipulate environment variables, potentially leading to complete system compromise. As the advisory states, “Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user.”
Other vulnerabilities addressed in this update include:
CVE-2024-10976: This flaw involves row security policies and could allow attackers to bypass intended restrictions and access or modify data they shouldn’t be able to. “Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications,” warns the advisory.
CVE-2024-10977: This vulnerability affects the
libpqclient library and could allow a man-in-the-middle attacker to inject false error messages, potentially tricking users into revealing sensitive information.CVE-2024-10978: This flaw involves incorrect privilege assignment with
SET ROLEandSET SESSION AUTHORIZATIONcommands, potentially allowing attackers to gain unauthorized access to data.
This update also includes fixes for over 35 non-security related bugs. Notably, this is the final release for PostgreSQL 12, which has now reached end-of-life. Users still running PostgreSQL 12 are strongly encouraged to migrate to a supported version as soon as possible.
