Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Postgresql Patches Critical Vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Postgresql Patches Critical Vulnerability

The Postgresql team announced earlier today the release of patches for its popular open source database. The description of the vulnerability sounds quite scary. An attacker may cause corruption to the database, or if the attacker is able to log in, the attacker may then escalate privileges and in some cases execute arbitrary code.

The vulnerability is triggered by connecting to the database and specifying a database name that starts with a "-". This database does not have to exist for the vulnerability to be triggered. The database name starting with a "-" is then parsed as a command line argument and can be used to corrupt the database. 

There was some controversy about how the bug was handled by the postgresql team. But overall, they appear to have done a good job in patching this quickly. For the last few days, the postgresql source code repository was not viewable to prevent an early release of the vulnerability.

Of course, nobody should allow direct connections to the database from the Internet, but this bug may be exploitable after for example compromising a web server with a postgresql backend (a simple SQL injection is probably not enough, but other exploits that modify the database connect string could be used).

So in short: patch 



Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4479 Posts
ISC Handler
Apr 5th 2013
"Of course, nobody should allow direct connections to the firewall from the outside, ..." should probably have read "Of course, nobody should allow direct connections to the database (through the firewall) from the outside, ..."
I'm always tempted to correct people's English on web sites, but then I think, "How well would I do if I tried to write in German/Portuguese, etc." The answer is not very well, since I only speak one language.

88 Posts

Sign Up for Free or Log In to start participating in the conversation!