Обсуждение: Tenable Report Issue even after upgrading to correct Postgres version

Поиск
Список
Период
Сортировка

Tenable Report Issue even after upgrading to correct Postgres version

От
Kishore Isaac
Дата:

To Whom It May Concern:

 

We were informed by a customer using Tenable reports that we needed to upgrade Postgres from 12.2 to 12.7 due to vulnerability issues. We have since upgraded to the requested version of Postgres (12.7) but the Tenable report scans still show that the version is 12.2. After reaching out the Tenable, we found that the version information is not updated in the system registry where Tenable is pulling the information from. Is there any resolution for this?

 

Below is the registry information:

 

 

And below this is proof that we upgraded the Postgres version:

 

 

Thanks,

 

Kishore Isaac

 

 

Phone                         301 477 7048

Web                            www.loccioni.com

________________________________________

PRIVACY

According to International Privacy Laws the information contained in this message is confidential and of exclusive use of the addressee(s). Should you receive this message by mistake, please delete it and send a written communication to privacy@loccioni.com

Please consider the environment before printing this email

 

Вложения

Re: Tenable Report Issue even after upgrading to correct Postgres version

От
Bruce Momjian
Дата:
On Thu, Nov 11, 2021 at 03:49:29PM +0000, Kishore Isaac wrote:
> To Whom It May Concern:
> 
>  
> 
> We were informed by a customer using Tenable reports that we needed to upgrade
> Postgres from 12.2 to 12.7 due to vulnerability issues. We have since upgraded
> to the requested version of Postgres (12.7) but the Tenable report scans still
> show that the version is 12.2. After reaching out the Tenable, we found that
> the version information is not updated in the system registry where Tenable is
> pulling the information from. Is there any resolution for this?
> 
>  
> 
> Below is the registry information:

Uh, I have no idea what Tenable is, which I think means we don't control
that way of distributing Postgres.

-- 
  Bruce Momjian  <bruce@momjian.us>        https://momjian.us
  EDB                                      https://enterprisedb.com

  If only the physical world exists, free will is an illusion.

Re: Tenable Report Issue even after upgrading to correct Postgres version

От
"David G. Johnston"
Дата:
On Thursday, November 11, 2021, Bruce Momjian <bruce@momjian.us> wrote:
On Thu, Nov 11, 2021 at 03:49:29PM +0000, Kishore Isaac wrote:
>
>
> We were informed by a customer using Tenable reports that we needed to upgrade
> Postgres from 12.2 to 12.7 due to vulnerability issues. We have since upgraded
> to the requested version of Postgres (12.7) but the Tenable report scans still
> show that the version is 12.2. After reaching out the Tenable, we found that
> the version information is not updated in the system registry where Tenable is
> pulling the information from. Is there any resolution for this?
>

>
> Below is the registry information:

Uh, I have no idea what Tenable is, which I think means we don't control
that way of distributing Postgres.

IIUC Tenable is just a system scanner.  Apparently whomever built the Windows installer/upgrade binary for this customer (likely EDB) puts version info, during initial install, into the Window’s Registry but doesn’t update that information upon performing a minor release patch.  This seems like a bug, though not of the core project but the distributor.

David J.

Re: Tenable Report Issue even after upgrading to correct Postgres version

От
Sandeep Thakkar
Дата:
Hi,

I installed v12.2-4 on my Windows VM, launched StackBuilder and upgraded to version v12.9-1 (the latest stable release) and the registry entry was updated. I've attached the screenshots.

If the installation log is provided, we may know if the upgrade was really successful. 

On Thu, Nov 11, 2021 at 11:24 PM David G. Johnston <david.g.johnston@gmail.com> wrote:
On Thursday, November 11, 2021, Bruce Momjian <bruce@momjian.us> wrote:
On Thu, Nov 11, 2021 at 03:49:29PM +0000, Kishore Isaac wrote:
>
>
> We were informed by a customer using Tenable reports that we needed to upgrade
> Postgres from 12.2 to 12.7 due to vulnerability issues. We have since upgraded
> to the requested version of Postgres (12.7) but the Tenable report scans still
> show that the version is 12.2. After reaching out the Tenable, we found that
> the version information is not updated in the system registry where Tenable is
> pulling the information from. Is there any resolution for this?
>

>
> Below is the registry information:

Uh, I have no idea what Tenable is, which I think means we don't control
that way of distributing Postgres.

IIUC Tenable is just a system scanner.  Apparently whomever built the Windows installer/upgrade binary for this customer (likely EDB) puts version info, during initial install, into the Window’s Registry but doesn’t update that information upon performing a minor release patch.  This seems like a bug, though not of the core project but the distributor.

David J.



--
Sandeep Thakkar


Вложения

Re: Tenable Report Issue even after upgrading to correct Postgres version

От
Dave Page
Дата:


On Mon, Nov 15, 2021 at 10:05 AM Sandeep Thakkar <sandeep.thakkar@enterprisedb.com> wrote:
Hi,

I installed v12.2-4 on my Windows VM, launched StackBuilder and upgraded to version v12.9-1 (the latest stable release) and the registry entry was updated. I've attached the screenshots.


Please also note that Tenable should really *not* be checking what version is installed in this way, as that info is intended for the installer (and pgAdmin, and other similar apps) for internal use and non-security related service discovery. It is easily possible for a user to update parts of the PostgreSQL installation without changing that registry value, e.g. by unpacking the zipped binary distribution over an existing installation.

Any security scanner worth it's salt should be examining the VERSIONINFO resource in postgres.exe to see what is actually installed (or connecting to the database server and asking it, but that might be harder).
 
--

RE: Tenable Report Issue even after upgrading to correct Postgres version

От
Kishore Isaac
Дата:

Hi Dave,

 

Thanks for your response, is it possible to include the screenshots Sandeep sent?

 

Appreciate your help,

 

Kishore Isaac

 

 

Phone                         301 477 7048

Web                            www.loccioni.com

________________________________________

PRIVACY

According to International Privacy Laws the information contained in this message is confidential and of exclusive use of the addressee(s). Should you receive this message by mistake, please delete it and send a written communication to privacy@loccioni.com

Please consider the environment before printing this email

 

From: Dave Page <dpage@pgadmin.org>
Sent: Monday, November 15, 2021 5:13 AM
To: Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>
Cc: David G. Johnston <david.g.johnston@gmail.com>; Bruce Momjian <bruce@momjian.us>; Kishore Isaac <k.isaac@loccioni.com>; pgsql-bugs@lists.postgresql.org
Subject: Re: Tenable Report Issue even after upgrading to correct Postgres version

 

 

 

On Mon, Nov 15, 2021 at 10:05 AM Sandeep Thakkar <sandeep.thakkar@enterprisedb.com> wrote:

Hi,

 

I installed v12.2-4 on my Windows VM, launched StackBuilder and upgraded to version v12.9-1 (the latest stable release) and the registry entry was updated. I've attached the screenshots.

 

 

Please also note that Tenable should really *not* be checking what version is installed in this way, as that info is intended for the installer (and pgAdmin, and other similar apps) for internal use and non-security related service discovery. It is easily possible for a user to update parts of the PostgreSQL installation without changing that registry value, e.g. by unpacking the zipped binary distribution over an existing installation.

 

Any security scanner worth it's salt should be examining the VERSIONINFO resource in postgres.exe to see what is actually installed (or connecting to the database server and asking it, but that might be harder).

 

--

Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: https://www.enterprisedb.com

Вложения

Re: Tenable Report Issue even after upgrading to correct Postgres version

От
Dave Page
Дата:
Hi

On Mon, Nov 15, 2021 at 8:59 PM Kishore Isaac <k.isaac@loccioni.com> wrote:

Hi Dave,

 

Thanks for your response, is it possible to include the screenshots Sandeep sent?


Include them in what? They're already on his email and in the mailing list archives. I don't understand what you're asking for.
 

 

Appreciate your help,

 

Kishore Isaac

 

 

Phone                         301 477 7048

Web                            www.loccioni.com

________________________________________

PRIVACY

According to International Privacy Laws the information contained in this message is confidential and of exclusive use of the addressee(s). Should you receive this message by mistake, please delete it and send a written communication to privacy@loccioni.com

Please consider the environment before printing this email

 

From: Dave Page <dpage@pgadmin.org>
Sent: Monday, November 15, 2021 5:13 AM
To: Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>
Cc: David G. Johnston <david.g.johnston@gmail.com>; Bruce Momjian <bruce@momjian.us>; Kishore Isaac <k.isaac@loccioni.com>; pgsql-bugs@lists.postgresql.org
Subject: Re: Tenable Report Issue even after upgrading to correct Postgres version

 

 

 

On Mon, Nov 15, 2021 at 10:05 AM Sandeep Thakkar <sandeep.thakkar@enterprisedb.com> wrote:

Hi,

 

I installed v12.2-4 on my Windows VM, launched StackBuilder and upgraded to version v12.9-1 (the latest stable release) and the registry entry was updated. I've attached the screenshots.

 

 

Please also note that Tenable should really *not* be checking what version is installed in this way, as that info is intended for the installer (and pgAdmin, and other similar apps) for internal use and non-security related service discovery. It is easily possible for a user to update parts of the PostgreSQL installation without changing that registry value, e.g. by unpacking the zipped binary distribution over an existing installation.

 

Any security scanner worth it's salt should be examining the VERSIONINFO resource in postgres.exe to see what is actually installed (or connecting to the database server and asking it, but that might be harder).

 

--

Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: https://www.enterprisedb.com



--
Вложения