Support Content Notification - Support Portal

SA67 : Multiple PostgreSQL vulnerabilities in IntelligenceCenter

Product/Component

IntelligenceCenter

0 more products

Notification Id

1242

Last Updated

03 March 2020

Initial Publication Date

10 January 2012

Status

CLOSED

Severity

HIGH

CVSS Base Score

CVSS v2: 7.4

WorkAround

Affected CVE

SUMMARY

IntelligenceCenter installs and uses a version of PostgreSQL that has several publicly documented vulnerabilities. The most severe vulnerability allows an attacker to gain complete control over an IntelligenceCenter installation.

AFFECTED PRODUCTS

All versions of IntelligenceCenter prior to version 3.2.2.1 are vulnerable.

Patches

IntelligenceCenter 3.2 - a fix is available in 3.2.2.1.
IntelligenceCenter 3.1 and earlier - please upgrade to a later version.

ISSUES

CVE-2009-3229 - CVSS v2 base score: 2.7 (AV:A/AC:L/Au:S/C:N/I:N/A:P)

CVE-2009-3230 - CVSS v2 base score: 5.2 (AV:A/AC:L/Au:S/C:P/I:P/A:P)

CVE-2009-4034 - CVSS v2 base score: 4.3 (AV:A/AC:M/Au:N/C:N/I:P/A:P)

CVE-2009-4136 - CVSS v2 base score: 5.2 (AV:A/AC:L/Au:S/C:P/I:P/A:P)

CVE-2010-1169 - CVSS v2 base score: 7.4 (AV:A/AC:M/Au:S/C:C/I:C/A:C)

CVE-2010-1170 - CVSS v2 base score: 4.9 (AV:A/AC:M/Au:S/C:P/I:P/A:P)

CVE-2010-1975 - CVSS v2 base score: 4.1 (AV:A/AC:L/Au:S/C:P/I:P/A:N)

CVE-2010-3433 - CVSS v2 base score: 4.9 (AV:A/AC:M/Au:S/C:P/I:P/A:P)

CVE-2010-4015 - CVSS v2 base score: 5.2 (AV:A/AC:L/Au:S/C:P/I:P/A:P)

IntelligenceCenter 3.x installs and uses PostgreSQL version 8.4. IntelligenceCenter 2.x installs and uses PostgreSQL 8.2. Each version of PostgreSQL has several publicly documented vulnerabilities.

The most severe vulnerability allows an attacker to gain complete control over an IntelligenceCenter installation. The attacker can view and modify configuration data as well as data sent to and from IntelligenceCenter. An attacker can also render IntelligenceCenter completely unresponsive for administrative control as well as data transmission.

When IntelligenceCenter is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack. The CVSS base scores included in this advisory are based on this deployment scenario.

If IntelligenceCenter is deployed outside of the firewall. the CVSS base score for all CVEs listed would be higher. The CVSS base score for this security advisory would be a 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C).

IntelligenceCenter 3.2.2.1 contains an upgrade to PostgreSQL 8.4.7 fixing the CVEs documented in this security advisory.

MITIGATION

Blue Coat recommends that IntelligenceCenter be deployed behind a firewall. Additional constraints on what IP addresses can be used to connect to IntelligenceCenter will greatly limit the ability to attack an IntelligenceCenter installation.

REFERENCES

REVISION

2012-01-17 Changed status to final
2012-01-10 Initial public release