Note: This is an archival copy of Security Sun Alert 274870 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021746.1.
6909139, 6909140, 6909142
Solaris 10 Operating System
Date of Workaround Release
Date of Resolved Release
Security Vulnerabilities in PostgreSQL Shipped With Solaris May Allow Escalation of Privileges or Man-in-the-Middle on SSL Connections
Multiple security vulnerabilities have been identified in the PostgreSQL software shipped with Solaris. These vulnerabilities may allow a remote authenticated user with certain privileges to gain extra privileges via a table with a crafted index function. Further vulnerabilities may allow man-in-the-middle attacks on SSL based PostgreSQL servers by substituting malicious SSL certificates for trusted ones.
These issues are described in the following documents:
Official PostgreSQL annoucement at http://www.postgresql.org/about/news.1170
CVE-2009-4034 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4034
CVE-2009-4136 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4136
2. Contributing Factors
These issues can occur in the following releases:
1. Solaris 8 and 9 do not ship with PostgreSQL and are not impacted by these issues.
2. A user must have an account on the PostgreSQL server to exploit the issue described in CVE-2009-4136.
3. The CVE-2009-4034 and CVE-2009-4136 issues affect PostgreSQL 7.4.x prior to 7.4.27, 8.0.x prior to 8.0.23, 8.1.x prior to 8.1.19, 8.2.x prior to 8.2.15 and 8.3.x prior to 8.3.9 and versions 8.4.x prior to 8.4.2.
4. PostgreSQL 8.1 (SUNWpostgr), 8.2 (packages beginning with SUNWpostgr-82) and 8.3 (packages beginning with SUNWpostgr-83) can be installed at the same time and are separately impacted by these vulnerabilities.
To determine if a version of PostgreSQL is installed, a command such as the following can be used:
$ pkginfo | grep SUNWpostgrTo determine if PostgreSQL is running on a server, a command such as the following can be run as the user 'postgres' (or the 'root' user):
for PostgreSQL 8.1:
$ pg_ctl status -D /var/lib/pgsql/data/for PostgreSQL 8.2:
$ /usr/postgres/8.2/bin/pg_ctl status -D /var/postgres/8.2/data/for PostgreSQL 8.3:
$ /usr/postgres/8.3/bin/pg_ctl status -D /var/postgres/8.3/data/or (where applicable):
$ svcs -a | grep postgresql
There are no predictable symptoms that would indicate the described issues have been exploited.
To prevent the issue described in CVE-2009-4136 from being freshly exploited, the database administrator can revoke the "create" privilege from users by running the following commands:
REVOKE CREATE ON SCHEMA <schema> FROM <user>;
REVOKE CREATE ON TABLESPACE <tablespace> FROM <user>;
These issues are addressed in the following releases:
For more information on Security Sun Alerts, see 1009886.1.
Copyright 2000-2010 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
15-Jan-2010: Updated Contributing Factors and Resolution sections
19-Jan-2010: Updated Contributing Factors and Resolution sections; now Resolved
This solution has no attachment