Обсуждение: Tenable Report Issue even after upgrading to correct Postgres version
To Whom It May Concern:
We were informed by a customer using Tenable reports that we needed to upgrade Postgres from 12.2 to 12.7 due to vulnerability issues. We have since upgraded to the requested version of Postgres (12.7) but the Tenable report scans still show that the version is 12.2. After reaching out the Tenable, we found that the version information is not updated in the system registry where Tenable is pulling the information from. Is there any resolution for this?
Below is the registry information:
And below this is proof that we upgraded the Postgres version:
Thanks,
Kishore Isaac
Phone 301 477 7048
Web www.loccioni.com
________________________________________
PRIVACY
According to International Privacy Laws the information contained in this message is confidential and of exclusive use of the addressee(s). Should you receive this message by mistake, please delete it and send a written communication to privacy@loccioni.com
Please consider the environment before printing this email
Вложения
On Thu, Nov 11, 2021 at 03:49:29PM +0000, Kishore Isaac wrote: > To Whom It May Concern: > > > > We were informed by a customer using Tenable reports that we needed to upgrade > Postgres from 12.2 to 12.7 due to vulnerability issues. We have since upgraded > to the requested version of Postgres (12.7) but the Tenable report scans still > show that the version is 12.2. After reaching out the Tenable, we found that > the version information is not updated in the system registry where Tenable is > pulling the information from. Is there any resolution for this? > > > > Below is the registry information: Uh, I have no idea what Tenable is, which I think means we don't control that way of distributing Postgres. -- Bruce Momjian <bruce@momjian.us> https://momjian.us EDB https://enterprisedb.com If only the physical world exists, free will is an illusion.
Re: Tenable Report Issue even after upgrading to correct Postgres version
On Thu, Nov 11, 2021 at 03:49:29PM +0000, Kishore Isaac wrote:
>
>
> We were informed by a customer using Tenable reports that we needed to upgrade
> Postgres from 12.2 to 12.7 due to vulnerability issues. We have since upgraded
> to the requested version of Postgres (12.7) but the Tenable report scans still
> show that the version is 12.2. After reaching out the Tenable, we found that
> the version information is not updated in the system registry where Tenable is
> pulling the information from. Is there any resolution for this?
>
>
>
> Below is the registry information:
Uh, I have no idea what Tenable is, which I think means we don't control
that way of distributing Postgres.
On Thursday, November 11, 2021, Bruce Momjian <bruce@momjian.us> wrote:On Thu, Nov 11, 2021 at 03:49:29PM +0000, Kishore Isaac wrote:
>
>
> We were informed by a customer using Tenable reports that we needed to upgrade
> Postgres from 12.2 to 12.7 due to vulnerability issues. We have since upgraded
> to the requested version of Postgres (12.7) but the Tenable report scans still
> show that the version is 12.2. After reaching out the Tenable, we found that
> the version information is not updated in the system registry where Tenable is
> pulling the information from. Is there any resolution for this?
>
>
>
> Below is the registry information:
Uh, I have no idea what Tenable is, which I think means we don't control
that way of distributing Postgres.IIUC Tenable is just a system scanner. Apparently whomever built the Windows installer/upgrade binary for this customer (likely EDB) puts version info, during initial install, into the Window’s Registry but doesn’t update that information upon performing a minor release patch. This seems like a bug, though not of the core project but the distributor.David J.
Вложения
Hi,I installed v12.2-4 on my Windows VM, launched StackBuilder and upgraded to version v12.9-1 (the latest stable release) and the registry entry was updated. I've attached the screenshots.
Hi Dave,
Thanks for your response, is it possible to include the screenshots Sandeep sent?
Appreciate your help,
Kishore Isaac
Phone 301 477 7048
Web www.loccioni.com
________________________________________
PRIVACY
According to International Privacy Laws the information contained in this message is confidential and of exclusive use of the addressee(s). Should you receive this message by mistake, please delete it and send a written communication to privacy@loccioni.com
Please consider the environment before printing this email
From: Dave Page <dpage@pgadmin.org>
Sent: Monday, November 15, 2021 5:13 AM
To: Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>
Cc: David G. Johnston <david.g.johnston@gmail.com>; Bruce Momjian <bruce@momjian.us>; Kishore Isaac <k.isaac@loccioni.com>; pgsql-bugs@lists.postgresql.org
Subject: Re: Tenable Report Issue even after upgrading to correct Postgres version
On Mon, Nov 15, 2021 at 10:05 AM Sandeep Thakkar <sandeep.thakkar@enterprisedb.com> wrote:
Hi,
I installed v12.2-4 on my Windows VM, launched StackBuilder and upgraded to version v12.9-1 (the latest stable release) and the registry entry was updated. I've attached the screenshots.
Please also note that Tenable should really *not* be checking what version is installed in this way, as that info is intended for the installer (and pgAdmin, and other similar apps) for internal use and non-security related service discovery. It is easily possible for a user to update parts of the PostgreSQL installation without changing that registry value, e.g. by unpacking the zipped binary distribution over an existing installation.
Any security scanner worth it's salt should be examining the VERSIONINFO resource in postgres.exe to see what is actually installed (or connecting to the database server and asking it, but that might be harder).
--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake
EDB: https://www.enterprisedb.com
Вложения
Hi Dave,
Thanks for your response, is it possible to include the screenshots Sandeep sent?
Appreciate your help,
Kishore Isaac
Phone 301 477 7048
Web www.loccioni.com
________________________________________
PRIVACY
According to International Privacy Laws the information contained in this message is confidential and of exclusive use of the addressee(s). Should you receive this message by mistake, please delete it and send a written communication to privacy@loccioni.com
Please consider the environment before printing this email
From: Dave Page <dpage@pgadmin.org>
Sent: Monday, November 15, 2021 5:13 AM
To: Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>
Cc: David G. Johnston <david.g.johnston@gmail.com>; Bruce Momjian <bruce@momjian.us>; Kishore Isaac <k.isaac@loccioni.com>; pgsql-bugs@lists.postgresql.org
Subject: Re: Tenable Report Issue even after upgrading to correct Postgres version
On Mon, Nov 15, 2021 at 10:05 AM Sandeep Thakkar <sandeep.thakkar@enterprisedb.com> wrote:
Hi,
I installed v12.2-4 on my Windows VM, launched StackBuilder and upgraded to version v12.9-1 (the latest stable release) and the registry entry was updated. I've attached the screenshots.
Please also note that Tenable should really *not* be checking what version is installed in this way, as that info is intended for the installer (and pgAdmin, and other similar apps) for internal use and non-security related service discovery. It is easily possible for a user to update parts of the PostgreSQL installation without changing that registry value, e.g. by unpacking the zipped binary distribution over an existing installation.
Any security scanner worth it's salt should be examining the VERSIONINFO resource in postgres.exe to see what is actually installed (or connecting to the database server and asking it, but that might be harder).
--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake
EDB: https://www.enterprisedb.com