Friend
Professional
- Messages
- 2,671
- Reaction score
- 1,104
- Points
- 113
Corrective updates have been generated for all supported PostgreSQL branches 16.4, 15.8, 14.13, 13.16, 12.20, which fixed 56 errors identified in the last three months. Among other things, the new versions fix a vulnerability (CVE-2024-7348) marked as dangerous (hazard level 8.8 out of 10). The vulnerability is caused by a race condition in the pg_dump utility, which allows an attacker who has the ability to create and delete permanent objects in the DBMS to execute arbitrary SQL code with user rights under which the pg_dump utility is run (usually pg_dump is run with superuser rights to back up the DBMS).
For a successful attack, you need to track the time when the pg_dump utility was launched, which is easily implemented by manipulating an open transaction. The attack is reduced to replacing the sequence with a view or external table that defines the SQL code to be run, at the time of pg_dump launch, when information about the presence of the sequence has already been received, but the data has not yet been output. To block the vulnerability, the "restrict_nonsystem_relation_kind" setting has been added, which prohibits disclosure of non-system views and access to external tables in pg_dump.
For a successful attack, you need to track the time when the pg_dump utility was launched, which is easily implemented by manipulating an open transaction. The attack is reduced to replacing the sequence with a view or external table that defines the SQL code to be run, at the time of pg_dump launch, when information about the presence of the sequence has already been received, but the data has not yet been output. To block the vulnerability, the "restrict_nonsystem_relation_kind" setting has been added, which prohibits disclosure of non-system views and access to external tables in pg_dump.
