Support Content Notification - Support Portal

USN-6538-2: PostgreSQL vulnerabilities

Product/Component

Notification Id

24809

Last Updated

23 July 2024

Initial Publication Date

23 July 2024

Status

CLOSED

Severity

MEDIUM

CVSS Base Score

WorkAround

Affected CVE

CVE-2023-5869;CVE-2023-5870;CVE-2023-5868

Severity

medium

Vendor

VMware Tanzu

Versions Affected

Canonical Ubuntu 18.04

USN-6538-1 fixed several vulnerabilities in PostgreSQL. This update provides the corresponding updates for Ubuntu 18.04 LTS. Original advisory details: Jingzhou Fu discovered that PostgreSQL incorrectly handled certain unknown arguments in aggregate function calls. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2023-5868) Pedro Gallegos discovered that PostgreSQL incorrectly handled modifying certain SQL array values. A remote attacker could use this issue to obtain sensitive information, or possibly execute arbitrary code. (CVE-2023-5869) Hemanth Sandrana and Mahendrakar Srinivasarao discovered that PostgreSQL allowed the pg_signal_backend role to signal certain superuser processes, contrary to expectations. (CVE-2023-5870) Update Instructions: Run `sudo pro fix USN-6538-2` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: postgresql-server-dev-10 - 10.23-0ubuntu0.18.04.2+esm1 postgresql-pltcl-10 - 10.23-0ubuntu0.18.04.2+esm1 libecpg6 - 10.23-0ubuntu0.18.04.2+esm1 libpq-dev - 10.23-0ubuntu0.18.04.2+esm1 libpgtypes3 - 10.23-0ubuntu0.18.04.2+esm1 postgresql-10 - 10.23-0ubuntu0.18.04.2+esm1 postgresql-plperl-10 - 10.23-0ubuntu0.18.04.2+esm1 libecpg-dev - 10.23-0ubuntu0.18.04.2+esm1 postgresql-plpython3-10 - 10.23-0ubuntu0.18.04.2+esm1 libpq5 - 10.23-0ubuntu0.18.04.2+esm1 postgresql-plpython-10 - 10.23-0ubuntu0.18.04.2+esm1 postgresql-doc-10 - 10.23-0ubuntu0.18.04.2+esm1 postgresql-client-10 - 10.23-0ubuntu0.18.04.2+esm1 libecpg-compat3 - 10.23-0ubuntu0.18.04.2+esm1 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro.

Fixed and Unaffected VMware Products and Versions

Cflinuxfs3

0.384.0 or greater

CF Deployment

30.0.0 or greater

Isolation Segment

2.11.46 or greater
2.13.32 or greater
4.0.16+LTS-T or greater
5.0.6 or greater
6.0.x unaffected

VMware Tanzu Applications Service for VMs

2.11.52 or greater
2.13.34 or greater
4.0.16+LTS-T or greater
5.0.6 or greater
6.0.x unaffected

References

https://ubuntu.com/security/notices/USN-6538-2

https://www.cloudfoundry.org/blog/usn-6538-2

https://cve.mitre.org/cgi-bin/cvename.cgi?name=usn-6538-2

https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24809

History

2024-01-17: Initial vulnerability report published.