Обсуждение: CVE-2022-2625
Good afternoon to everyone!
Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5? If so, who knows how to patch it? Patches from version 10 are not suitable at all...
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote: > Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5? > If so, who knows how to patch it? Patches from version 10 are not suitable at all... Yes, that vulnerability exists in 9.5. To patch that, you'd have to try and backpatch the commit to 9.5 yourself: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0 Since 9.5 is out of support, there are no more bugfixes for it provided by the community. If security were a real concern for you, you would certainly not be running a PostgreSQL version that is out of support. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
All business processes are hooked on postgresql 9.5. There is no way to update.
Unfortunately, I don't have the proper qualifications to change it.
Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...
Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0
Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
On Thu, 2022-09-15 at 07:24 +0300, misha1966 misha1966 wrote: > > Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>: > > > > On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote: > > > Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5? > > > If so, who knows how to patch it? Patches from version 10 are not suitable at all... > > > > Yes, that vulnerability exists in 9.5. > > > > To patch that, you'd have to try and backpatch the commit to 9.5 yourself: > > https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0 > > > > Since 9.5 is out of support, there are no more bugfixes for it provided > > by the community. If security were a real concern for you, you would > > certainly not be running a PostgreSQL version that is out of support. > > All business processes are hooked on postgresql 9.5. There is no way to update. > Unfortunately, I don't have the proper qualifications to change it. So these "business processes" are more important than security at your site. That's fine; everybody has to make their choices. But remember that there are also known data-eating bugs lurking in your outdated software. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
Software is only certified for 9.5? Hopefully you're running 9.5.25.
I feel your pain... we've got some databases that will stay at 9.6 for another year.
I feel your pain... we've got some databases that will stay at 9.6 for another year.
On 9/14/22 23:24, misha1966 misha1966 wrote:
All business processes are hooked on postgresql 9.5. There is no way to update.Unfortunately, I don't have the proper qualifications to change it.Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...
Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0
Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
--
Angular momentum makes the world go 'round.
Angular momentum makes the world go 'round.
All right :(
Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
Software is only certified for 9.5? Hopefully you're running 9.5.25.
I feel your pain... we've got some databases that will stay at 9.6 for another year.
On 9/14/22 23:24, misha1966 misha1966 wrote:All business processes are hooked on postgresql 9.5. There is no way to update.Unfortunately, I don't have the proper qualifications to change it.Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...
Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0
Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
--
Angular momentum makes the world go 'round.
Is there a patch for 9.6 ?
Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
Software is only certified for 9.5? Hopefully you're running 9.5.25.
I feel your pain... we've got some databases that will stay at 9.6 for another year.
On 9/14/22 23:24, misha1966 misha1966 wrote:All business processes are hooked on postgresql 9.5. There is no way to update.Unfortunately, I don't have the proper qualifications to change it.Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...
Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0
Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
--
Angular momentum makes the world go 'round.
Le jeu. 15 sept. 2022 à 16:52, misha1966 misha1966 <mmisha1966@bk.ru> a écrit :
Is there a patch for 9.6 ?
A quick Google search for "postgres CVE-2022-2625" gives you https://www.postgresql.org/support/security/CVE-2022-2625/. And this page tells you there's only a fix for releases 10 to 14. Moreover, fixes in 2022 won't have a patch for releases prior to v10.
Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
Software is only certified for 9.5? Hopefully you're running 9.5.25.
I feel your pain... we've got some databases that will stay at 9.6 for another year.
On 9/14/22 23:24, misha1966 misha1966 wrote:All business processes are hooked on postgresql 9.5. There is no way to update.Unfortunately, I don't have the proper qualifications to change it.Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...
Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0
Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
--
Angular momentum makes the world go 'round.
--
Guillaume.
There are nine months of bug fixes.
On 9/15/22 09:52, misha1966 misha1966 wrote:
Is there a patch for 9.6 ?Четверг, 15 сентября 2022, 17:55 +09:00 от Ron <ronljohnsonjr@gmail.com>:
Software is only certified for 9.5? Hopefully you're running 9.5.25.
I feel your pain... we've got some databases that will stay at 9.6 for another year.
On 9/14/22 23:24, misha1966 misha1966 wrote:All business processes are hooked on postgresql 9.5. There is no way to update.Unfortunately, I don't have the proper qualifications to change it.Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:> Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> If so, who knows how to patch it? Patches from version 10 are not suitable at all...
Yes, that vulnerability exists in 9.5.
To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0
Since 9.5 is out of support, there are no more bugfixes for it provided
by the community. If security were a real concern for you, you would
certainly not be running a PostgreSQL version that is out of support.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
--
Angular momentum makes the world go 'round.
--
Angular momentum makes the world go 'round.
Angular momentum makes the world go 'round.
=?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= <mmisha1966@bk.ru> writes: > Is there a patch for 9.6 ? No; that's out of support too. You might find that adapting the v10 patch back to 9.6, and thence to 9.5, would be easier than trying to do it in one step. I'm a little bemused by your fixation on this particular CVE, though. As such things go, it's not a very big deal. It's only of interest if you are routinely installing new extensions, *and* those extensions' scripts contain insecure uses of CREATE OR REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions instead. I would not have thought an institution that's so frozen that it can't update to an in-support PG version would be doing a lot of new extension installations. In any case, the real thing you ought to be focusing on is whether you are running back-ported patches for any of the *other* CVE-worthy security bugs we've fixed since 9.5 went EOL. And how about the data-corrupting bugs? Most longtime PG developers think data corruption hazards are a good deal more important than a lot of the stuff we assign CVEs to. Almost every CVE we've ever issued is only relevant if you have hostile actors able to issue arbitrary SQL in your database, in which case you're in a world of trouble anyway. regards, tom lane
On 9/15/22 10:19, Tom Lane wrote:
Some auditor might have issued a decree mandating all vulnerabilities greater than 7.0 must be patched.
As to why they're auditing EOL software... no one has ever considered auditors or Upper Management to be rational or consistent.
misha1966 misha1966 <mmisha1966@bk.ru> writes:Is there a patch for 9.6 ?No; that's out of support too. You might find that adapting the v10 patch back to 9.6, and thence to 9.5, would be easier than trying to do it in one step. I'm a little bemused by your fixation on this particular CVE, though.
Some auditor might have issued a decree mandating all vulnerabilities greater than 7.0 must be patched.
As such things go, it's not a very big deal.It's only of interest if you are routinely installing new extensions, *and* those extensions' scripts contain insecure uses of CREATE OR REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions instead. I would not have thought an institution that's so frozen that it can't update to an in-support PG version would be doing a lot of new extension installations. In any case, the real thing you ought to be focusing on is whether you are running back-ported patches for any of the *other* CVE-worthy security bugs we've fixed since 9.5 went EOL. And how about the data-corrupting bugs?
As to why they're auditing EOL software... no one has ever considered auditors or Upper Management to be rational or consistent.
Most longtime PG developers think data corruption hazards are a good deal more important than a lot of the stuff we assign CVEs to. Almost every CVE we've ever issued is only relevant if you have hostile actors able to issue arbitrary SQL in your database, in which case you're in a world of trouble anyway.
--
Angular momentum makes the world go 'round.
Angular momentum makes the world go 'round.
On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote: > =?UTF-8?B?bWlzaGExOTY2IG1pc2hhMTk2Ng==?= <mmisha1966@bk.ru> writes: > > Is there a patch for 9.6 ? > > No; that's out of support too. > > I'm a little bemused by your fixation on this particular CVE, > though. As such things go, it's not a very big deal. It's only > of interest if you are routinely installing new extensions, *and* > those extensions' scripts contain insecure uses of CREATE OR > REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions > instead. I would not have thought an institution that's so > frozen that it can't update to an in-support PG version would be > doing a lot of new extension installations. A lot of times, requests like that come from a brainless kind of institutionalized security: we have to install all software updates that say "CVE". Never mind that username = password and the application is running with a superuser. Yours, Laurenz Albe
Laurenz Albe <laurenz.albe@cybertec.at> writes: > On Thu, 2022-09-15 at 11:19 -0400, Tom Lane wrote: >> I'm a little bemused by your fixation on this particular CVE, >> though. As such things go, it's not a very big deal. > A lot of times, requests like that come from a brainless kind of > institutionalized security: we have to install all software updates > that say "CVE". Never mind that username = password and > the application is running with a superuser. Indeed :-(. But we've issued several CVEs since 9.5 went out of support --- notably, I'd say CVE-2022-1552 from the previous minor-release cycle is a good deal more dangerous than this one. So, again, why worry about -2625 in particular? I'm still wondering whether the OP's installation is even on 9.5.latest; if not, they've likely got even more serious things to worry about. A quick troll through the 9.5.x release notes finds a lot of bugs... regards, tom lane
How can I check this vulnerability. Which SQL to execute?
Четверг, 15 сентября 2022, 17:22 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
On Thu, 2022-09-15 at 07:24 +0300, misha1966 misha1966 wrote:> > Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>:
> >
> > On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote:
> > > Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5?
> > > If so, who knows how to patch it? Patches from version 10 are not suitable at all...
> >
> > Yes, that vulnerability exists in 9.5.
> >
> > To patch that, you'd have to try and backpatch the commit to 9.5 yourself:
> > https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0
> >
> > Since 9.5 is out of support, there are no more bugfixes for it provided
> > by the community. If security were a real concern for you, you would
> > certainly not be running a PostgreSQL version that is out of support.
>
> All business processes are hooked on postgresql 9.5. There is no way to update.
> Unfortunately, I don't have the proper qualifications to change it.
So these "business processes" are more important than security at your site.
That's fine; everybody has to make their choices.
But remember that there are also known data-eating bugs lurking in your
outdated software.
Yours,
Laurenz Albe
--
Cybertec | https://www.cybertec-postgresql.com
On Mon, 2022-09-19 at 07:35 +0300, misha1966 misha1966 wrote: > > Четверг, 15 сентября 2022, 17:22 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>: > > > > On Thu, 2022-09-15 at 07:24 +0300, misha1966 misha1966 wrote: > > > > Четверг, 15 сентября 2022, 1:58 +09:00 от Laurenz Albe <laurenz.albe@cybertec.at>: > > > > > > > > On Wed, 2022-09-14 at 17:02 +0300, misha1966 misha1966 wrote: > > > > > Tell me, is there a CVE-2022-2625 vulnerability in posgresql 9.5? > > > > > If so, who knows how to patch it? Patches from version 10 are not suitable at all... > > > > > > > > Yes, that vulnerability exists in 9.5. > > > > > > > > To patch that, you'd have to try and backpatch the commit to 9.5 yourself: > > > > https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b9b21acc766db54d8c337d508d0fe2f5bf2daab0 > > > > > > > > Since 9.5 is out of support, there are no more bugfixes for it provided > > > > by the community. If security were a real concern for you, you would > > > > certainly not be running a PostgreSQL version that is out of support. > > > > > > All business processes are hooked on postgresql 9.5. There is no way to update. > > > Unfortunately, I don't have the proper qualifications to change it. > > > > So these "business processes" are more important than security at your site. > > That's fine; everybody has to make their choices. > > But remember that there are also known data-eating bugs lurking in your > > outdated software. > > How can I check this vulnerability. Which SQL to execute? Look at the commit message in the link above. You create a database object (a function or view). Then you create an extension, and in the SQL script you put "CREATE OR REPLACE ..." for that same object. If PostgreSQL allows you to create the extension, you are vulnerable. Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
Thank you all! Everything worked out!
CVE-2022-2625 contains a lot more than it seems...
Пятница, 16 сентября 2022, 0:19 +09:00 от Tom Lane <tgl@sss.pgh.pa.us>:
misha1966 misha1966 <mmisha1966@bk.ru> writes:> Is there a patch for 9.6 ?
No; that's out of support too.
You might find that adapting the v10 patch back to 9.6, and
thence to 9.5, would be easier than trying to do it in one step.
I'm a little bemused by your fixation on this particular CVE,
though. As such things go, it's not a very big deal. It's only
of interest if you are routinely installing new extensions, *and*
those extensions' scripts contain insecure uses of CREATE OR
REPLACE/CREATE IF NOT EXISTS, *and* you can't fix the extensions
instead. I would not have thought an institution that's so
frozen that it can't update to an in-support PG version would be
doing a lot of new extension installations.
In any case, the real thing you ought to be focusing on is whether
you are running back-ported patches for any of the *other* CVE-worthy
security bugs we've fixed since 9.5 went EOL. And how about the
data-corrupting bugs? Most longtime PG developers think data
corruption hazards are a good deal more important than a lot of
the stuff we assign CVEs to. Almost every CVE we've ever issued is
only relevant if you have hostile actors able to issue arbitrary SQL
in your database, in which case you're in a world of trouble anyway.
regards, tom lane