Addressing PostgreSQL Vulnerabilities in Ubuntu

Rohan Timalsina

May 23, 2024 - TuxCare expert team

In recent updates, the Ubuntu security team has addressed multiple security issues found in PostgreSQL, an Object-relational SQL database. These issues affect various Ubuntu releases, including Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04, and Ubuntu 16.04. In this article, we will look into the details of PostgreSQL vulnerabilities that have been patched and explore solutions for end-of-life Ubuntu systems like Ubuntu 16.04 and Ubuntu 18.04.

PostgreSQL Vulnerabilities Fixed in Ubuntu

CVE-2023-5868

This is a memory disclosure vulnerability discovered in PostgreSQL that grants remote access to sensitive information by exploiting certain aggregate function calls with unknown -type arguments. This flaw stems from excessive data output in aggregate function calls, allowing remote attackers to read portions of system memory.

CVE-2023-5869

This vulnerability allows authenticated database users to execute arbitrary code due to the absence of overflow checks during SQL array value modification. This flaw arises from an integer overflow during array modification, which can be triggered by remote attackers using specially crafted data. Exploiting this flaw enables the execution of arbitrary code on the target system, facilitating the writing of arbitrary bytes to memory and extensive reading of the server’s memory.

CVE-2023-5870

The pg_signal_backend role is not supposed to signal “a backend owned by a superuser.” But it can signal background workers such as the logical replication launcher, autovacuum workers, and the autovacuum launcher. This could enable a remote user with high privileges to initiate a denial-of-service (DoS) attack. However, exploiting this PostgreSQL vulnerability requires a specific condition: a non-core extension with a less-resilient background worker. For instance, a non-core background worker that doesn’t auto-restart would face a denial of service specific to that background worker.

CVE-2024-0985

A late privilege drop in the “REFRESH MATERIALIZED VIEW CONCURRENTLY” enables an object creator to execute arbitrary SQL functions as the command issuer. While the command is designed to execute SQL functions as the materialized view’s owner for the safe refreshing of untrusted views, the flaw allows a superuser or a member of the attacker’s roles to become a victim. This vulnerability affects versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18. Notably, known exploits do not function in PostgreSQL 16 and later versions.

Securing Ubuntu Systems

For supported Ubuntu releases like Ubuntu 23.10, Ubuntu 23.04, Ubuntu 22.04 LTS, and Ubuntu 20.04 LTS, patching these PostgreSQL vulnerabilities is a straightforward process. You can simply update your PostgreSQL package to the latest versions available for your respective Ubuntu release. However, Ubuntu 16.04 and Ubuntu 18.04 have already reached end-of-life status. Therefore, security updates are provided exclusively via an Ubuntu Pro subscription.

Alternatively, you can utilize a more affordable solution, TuxCare’s Extended Lifecycle Support, which offers automated security patches for Ubuntu 16.04 and Ubuntu 18.04 for an additional five years after the EOL date. This includes the latest vulnerability fixes for various packages, including PostgreSQL, the Linux kernel, and common shared libraries like glibc, openssh, openssl, and zlib. Other packages include httpd, mysql, php, perl, python. Find more information on the Extended Lifecycle Support page.

Send questions to a TuxCare security expert to learn more about how to get started with Extended Lifecycle Support for Ubuntu.

Source: USN-6538-1

Summary