PostgreSQL is an open-source, widely used object relational SQL database. However, like any other software, it is not immune to vulnerabilities. A new high-severity vulnerability has been discovered in PostgreSQL versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20.

Canonical has released security updates to address this vulnerability in different releases, including Ubuntu 24.04 LTS, Ubuntu 22.04, LTS, and Ubuntu 20.04 LTS. Users are strongly recommended to update to the latest patched version of PostgreSQL.

What is the PostgreSQL Vulnerability?

A Time-of-check Time-of-use (TOCTOU) race condition vulnerability was identified in the pg_dump utility of PostgreSQL. This flaw allows an attacker with object creation privileges to execute arbitrary functions as the superuser. The exploit involves replacing an existing relation type with a view or foreign table. While the attacker must wait for pg_dump to initiate, exploiting the race condition is straightforward if the attacker maintains an open transaction.

Time-of-check Time-of-use is a type of race condition vulnerability that occurs when there is a gap between the time a system checks a resource (like a file or object) and the time it actually uses that resource. During this gap, an attacker can manipulate the resource to alter its state, leading to unintended or malicious behavior by the system.

Time-of-check: This is when the system verifies certain conditions, such as permissions or validity, to determine whether an operation should proceed.

Time-of-use: This is when the system actually performs the operation, such as reading, writing, or executing a file.

The vulnerability arises because these two steps are not atomic (i.e., they do not happen simultaneously). An attacker can exploit this gap by changing the resource’s status or replacing it with another resource after the check has passed but before it is used.

Available Updates

If you are running the affected PostgreSQL versions, it is crucial to update to the latest versions as soon as possible. Canonical has released security updates to address this vulnerability in different releases, including Ubuntu 24.04 LTS, Ubuntu 22.04, LTS, and Ubuntu 20.04 LTS. Ubuntu users can find the updates in the PostgreSQL APT repository and get the latest version available.

The Debian security team has also provided security updates for Debian 11 and Debian 12.

Patching PostgreSQL Vulnerabilities in Older Linux Versions

The PostgreSQL vulnerability (CVE-2024-7348) also impacts CentOS 7, Ubuntu 16.04, and Ubuntu 18.04 systems that no longer receive official updates, including security fixes. These are outdated versions which have already reached the end of life (EOL). However, they are still in use among some users and organizations due to operational constraints or legacy software.

Users and organizations relying on these older Linux distributions can utilize TuxCare’s Extended Lifecycle Support to continue receiving security updates for up to five years after the official end of life date. This service offers patches for over 140 packages, including the Linux kernel, glibc, OpenSSL, PostgreSQL, Python, OpenJDK, and more.

The ELS team has recently released a patch for the above vulnerability across CentOS 7, Ubuntu 16.04, and Ubuntu 18.04. You can track the patch status for every vulnerability in our CVE tracker.

Source: USN-6968-1

The post Ubuntu Fixes a High-Severity PostgreSQL Vulnerability appeared first on TuxCare.

*** This is a Security Bloggers Network syndicated blog from TuxCare authored by Rohan Timalsina. Read the original post at: https://tuxcare.com/blog/ubuntu-fixes-a-high-severity-postgresql-vulnerability/