Обсуждение: CVE-2022-2625

Поиск
Список
Период
Сортировка

CVE-2022-2625

От
misha1966 misha1966
Дата:
Good afternoon to everyone!

Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5? If so, who knows how to patch it? Patches from version 10 are not suitable at all...

Re: CVE-2022-2625

От
Laurenz Albe
Дата:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...

Yes, that vulnerability exists in 9.5.

To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0

Since 9.5 is out of support, there are no more bugfixes for it provided
by the community.  If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.

Yours,
Laurenz Albe
-- 
Cybertec | https://www.cybertec-postgresql.com



Re[2]: CVE-2022-2625

От
misha1966 misha1966
Дата:
All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.
 
Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
 
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...

Yes, that vulnerability exists in 9.5.

To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0

Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.

Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
 
 

Re: Re[2]: CVE-2022-2625

От
Laurenz Albe
Дата:
On Thu, 2022-09-15 at 07:24 +0300, misha1966 misha1966 wrote:
> > Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
> >  
> > On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> > > Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> > > If so, who knows how to patch it? Patches from version 10 are not suitable at all...
> > 
> > Yes, that vulnerability exists in 9.5.
> > 
> > To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
> > https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0
> > 
> > Since 9.5 is out of support, there are no more bugfixes for it provided
> > by the community. If security were a real concern for you, you would
> > certainly not be running a PostgreSQL version that is out of support.
>
> All business processes are hooked on postgresql 9.5. There is no way to update.
> Unfortunately, I don't have the proper qualifications to change it.

So these "business processes" are more important than security at your site.
That's fine; everybody has to make their choices.
But remember that there are also known data-eating bugs lurking in your
outdated software.

Yours,
Laurenz Albe
-- 
Cybertec | https://www.cybertec-postgresql.com



Re: CVE-2022-2625

От
Ron
Дата:
Software is only certified for 9.5?  Hopefully you're running 9.5.25.

I feel your pain... we've got some databases that will stay at 9.6 for another year.

On 9/14/22 23:24, misha1966 misha1966 wrote:
All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.
 
Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
 
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...

Yes, that vulnerability exists in 9.5.

To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0

Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.

Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
 
 

--
Angular momentum makes the world go 'round.

Re[2]: CVE-2022-2625

От
misha1966 misha1966
Дата:
All right :(
 
 
Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
 
Software is only certified for 9.5?  Hopefully you're running 9.5.25.

I feel your pain... we've got some databases that will stay at 9.6 for another year.
 
On 9/14/22 23:24, misha1966 misha1966 wrote:
All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.
 
Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
 
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...

Yes, that vulnerability exists in 9.5.

To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0

Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.

Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
 
 
 
--
Angular momentum makes the world go 'round.
 

Re[2]: CVE-2022-2625

От
misha1966 misha1966
Дата:
Is there a patch for 9.6 ?
 
 
Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
 
Software is only certified for 9.5?  Hopefully you're running 9.5.25.

I feel your pain... we've got some databases that will stay at 9.6 for another year.
 
On 9/14/22 23:24, misha1966 misha1966 wrote:
All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.
 
Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
 
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...

Yes, that vulnerability exists in 9.5.

To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0

Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.

Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
 
 
 
--
Angular momentum makes the world go 'round.
 

Re: Re[2]: CVE-2022-2625

От
Guillaume Lelarge
Дата:
Le jeu. 15 sept. 2022 à 16:52, misha1966 misha1966 <mmisha1966@bk.ru> a écrit :
Is there a patch for 9.6 ?

A quick Google search for "postgres CVE-2022-2625" gives you https://www.postgresql.org/support/security/CVE-2022-2625/. And this page tells you there's only a fix for releases 10 to 14. Moreover, fixes in 2022 won't have a patch for releases prior to v10.

 
 
Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
 
Software is only certified for 9.5?  Hopefully you're running 9.5.25.

I feel your pain... we've got some databases that will stay at 9.6 for another year.
 
On 9/14/22 23:24, misha1966 misha1966 wrote:
All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.
 
Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
 
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...

Yes, that vulnerability exists in 9.5.

To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0

Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.

Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
 
 
 
--
Angular momentum makes the world go 'round.
 


--
Guillaume.

Re: CVE-2022-2625

От
Ron
Дата:
There are nine months of bug fixes.

On 9/15/22 09:52, misha1966 misha1966 wrote:
Is there a patch for 9.6 ?
 
 
Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
 
Software is only certified for 9.5?  Hopefully you're running 9.5.25.

I feel your pain... we've got some databases that will stay at 9.6 for another year.
 
On 9/14/22 23:24, misha1966 misha1966 wrote:
All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.
 
Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
 
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...

Yes, that vulnerability exists in 9.5.

To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0

Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.

Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
 
 
 
--
Angular momentum makes the world go 'round.
 

--
Angular momentum makes the world go 'round.

Re: Re[2]: CVE-2022-2625

От
Tom Lane
Дата:
=?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= <mmisha1966@bk.ru> writes:
> Is there a patch for 9.6 ?

No; that's out of support too.

You might find that adapting the v10 patch back to 9.6, and
thence to 9.5, would be easier than trying to do it in one step.

I'm a little bemused by your fixation on this particular CVE,
though.  As such things go, it's not a very big deal.  It's only
of interest if you are routinely installing new extensions, *and*
those extensions' scripts contain insecure uses of CREATE OR
REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
instead.  I would not have thought an institution that's so
frozen that it can't update to an in-support PG version would be
doing a lot of new extension installations.

In any case, the real thing you ought to be focusing on is whether
you are running back-ported patches for any of the *other* CVE-worthy
security bugs we've fixed since 9.5 went EOL.  And how about the
data-corrupting bugs?  Most longtime PG developers think data
corruption hazards are a good deal more important than a lot of
the stuff we assign CVEs to.  Almost every CVE we've ever issued is
only relevant if you have hostile actors able to issue arbitrary SQL
in your database, in which case you're in a world of trouble anyway.

            regards, tom lane



Re: CVE-2022-2625

От
Ron
Дата:
On 9/15/22 10:19, Tom Lane wrote:
misha1966 misha1966 <mmisha1966@bk.ru> writes:
Is there a patch for 9.6 ?
No; that's out of support too.

You might find that adapting the v10 patch back to 9.6, and
thence to 9.5, would be easier than trying to do it in one step.

I'm a little bemused by your fixation on this particular CVE,
though.  

Some auditor might have issued a decree mandating all vulnerabilities greater than 7.0 must be patched.

As such things go, it's not a very big deal.It's only
of interest if you are routinely installing new extensions, *and*
those extensions' scripts contain insecure uses of CREATE OR
REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
instead.  I would not have thought an institution that's so
frozen that it can't update to an in-support PG version would be
doing a lot of new extension installations.

In any case, the real thing you ought to be focusing on is whether
you are running back-ported patches for any of the *other* CVE-worthy
security bugs we've fixed since 9.5 went EOL.  And how about the
data-corrupting bugs?

As to why they're auditing EOL software... no one has ever considered auditors or Upper Management to be rational or consistent.

  Most longtime PG developers think data
corruption hazards are a good deal more important than a lot of
the stuff we assign CVEs to.  Almost every CVE we've ever issued is
only relevant if you have hostile actors able to issue arbitrary SQL
in your database, in which case you're in a world of trouble anyway.


--
Angular momentum makes the world go 'round.

Re: Re[2]: CVE-2022-2625

От
Laurenz Albe
Дата:
On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote:
> =?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= <mmisha1966@bk.ru> writes:
> > Is there a patch for 9.6 ?
> 
> No; that's out of support too.
> 
> I'm a little bemused by your fixation on this particular CVE,
> though.  As such things go, it's not a very big deal.  It's only
> of interest if you are routinely installing new extensions, *and*
> those extensions' scripts contain insecure uses of CREATE OR
> REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
> instead.  I would not have thought an institution that's so
> frozen that it can't update to an in-support PG version would be
> doing a lot of new extension installations.

A lot of times, requests like that come from a brainless kind of
institutionalized security: we have to install all software updates
that say "CVE".  Never mind that username = password and
the application is running with a superuser.

Yours,
Laurenz Albe



Re: Re[2]: CVE-2022-2625

От
Tom Lane
Дата:
Laurenz Albe <laurenz.albe@cybertec.at> writes:
> On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote:
>> I'm a little bemused by your fixation on this particular CVE,
>> though.  As such things go, it's not a very big deal.

> A lot of times, requests like that come from a brainless kind of
> institutionalized security: we have to install all software updates
> that say "CVE".  Never mind that username = password and
> the application is running with a superuser.

Indeed :-(.  But we've issued several CVEs since 9.5 went out
of support --- notably, I'd say CVE-2022-1552 from the previous
minor-release cycle is a good deal more dangerous than this one.
So, again, why worry about -2625 in particular?

I'm still wondering whether the OP's installation is even on
9.5.latest; if not, they've likely got even more serious things
to worry about.  A quick troll through the 9.5.x release notes
finds a lot of bugs...

            regards, tom lane



Re[4]: CVE-2022-2625

От
misha1966 misha1966
Дата:
How can I check this vulnerability. Which SQL to execute?
 
Четверг, 15 сентября 2022, 17:22 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
 
On Thu, 2022-09-15 at 07:24 +0300, misha1966 misha1966 wrote:
> > Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
> >  
> > On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> > > Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> > > If so, who knows how to patch it? Patches from version 10 are not suitable at all...
> >
> > Yes, that vulnerability exists in 9.5.
> >
> > To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
> > https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0
> >
> > Since 9.5 is out of support, there are no more bugfixes for it provided
> > by the community. If security were a real concern for you, you would
> > certainly not be running a PostgreSQL version that is out of support.
>
> All business processes are hooked on postgresql 9.5. There is no way to update.
> Unfortunately, I don't have the proper qualifications to change it.

So these "business processes" are more important than security at your site.
That's fine; everybody has to make their choices.
But remember that there are also known data-eating bugs lurking in your
outdated software.

Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
 

Re: Re[4]: CVE-2022-2625

От
Laurenz Albe
Дата:
On Mon, 2022-09-19 at 07:35 +0300, misha1966 misha1966 wrote:
> > Четверг, 15 сентября 2022, 17:22 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
> >  
> > On Thu, 2022-09-15 at 07:24 +0300, misha1966 misha1966 wrote:
> > > > Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
> > > >  
> > > > On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> > > > > Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> > > > > If so, who knows how to patch it? Patches from version 10 are not suitable at all...
> > > > 
> > > > Yes, that vulnerability exists in 9.5.
> > > > 
> > > > To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
> > > > https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0
> > > > 
> > > > Since 9.5 is out of support, there are no more bugfixes for it provided
> > > > by the community. If security were a real concern for you, you would
> > > > certainly not be running a PostgreSQL version that is out of support.
> > > 
> > > All business processes are hooked on postgresql 9.5. There is no way to update.
> > > Unfortunately, I don't have the proper qualifications to change it.
> > 
> > So these "business processes" are more important than security at your site.
> > That's fine; everybody has to make their choices.
> > But remember that there are also known data-eating bugs lurking in your
> > outdated software.
>
> How can I check this vulnerability. Which SQL to execute?

Look at the commit message in the link above.

You create a database object (a function or view).  Then you create an extension,
and in the SQL script you put "CREATE OR REPLACE ..." for that same object.

If PostgreSQL allows you to create the extension, you are vulnerable.

Yours,
Laurenz Albe
-- 
Cybertec | https://www.cybertec-postgresql.com



Re[4]: CVE-2022-2625

От
misha1966 misha1966
Дата:
Thank you all! Everything worked out!

CVE-2022-2625 contains a lot more than it seems...
 
 
Пятница, 16 сентября 2022, 0:19 +09:00 от Tom Lane <tgl@sss.pgh.pa.us>:
 
misha1966 misha1966 <mmisha1966@bk.ru> writes:
> Is there a patch for 9.6 ?

No; that's out of support too.

You might find that adapting the v10 patch back to 9.6, and
thence to 9.5, would be easier than trying to do it in one step.

I'm a little bemused by your fixation on this particular CVE,
though. As such things go, it's not a very big deal. It's only
of interest if you are routinely installing new extensions, *and*
those extensions' scripts contain insecure uses of CREATE OR
REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
instead. I would not have thought an institution that's so
frozen that it can't update to an in-support PG version would be
doing a lot of new extension installations.

In any case, the real thing you ought to be focusing on is whether
you are running back-ported patches for any of the *other* CVE-worthy
security bugs we've fixed since 9.5 went EOL. And how about the
data-corrupting bugs? Most longtime PG developers think data
corruption hazards are a good deal more important than a lot of
the stuff we assign CVEs to. Almost every CVE we've ever issued is
only relevant if you have hostile actors able to issue arbitrary SQL
in your database, in which case you're in a world of trouble anyway.

regards, tom lane