A blog on Computer Science, Security, Programming, and more...

HeapSpray Blog » Security » View Post


Security News - PostgreSQL CVE-2013-1899

Written by Matt

A little old by now, but I just remembered this and went to check that my PostgreSQL install is patched. There was a recent fairly severe security issue in the PostgreSQL daemon that makes it treat clients connecting to databases that have names starting with "-" as command line arguments, giving sort of local-level access to the client even if the daemon is not running on the same machine.

There's a full report on the severity of the vulnerability here: http://blog.blackwinghq.com/2013/04/08/2/.

I'd say this shouldn't matter for most people, as PostgreSQL in most cases would be run locally, or through a UNIX socket, where it's not accessible from outside of the machine, but most managed servers use over-network clustered database systems, and most people don't firewall their VPSes properly or bind to which makes this exploit work in a lot more cases. As the above entry says, there are over 300,000 hosts listening on port 5432 (the default PostgreSQL port).

Fairly big oversight on the part of the PostgreSQL developers.

Topic: Security tags: postgresql, RCE, DoS, CVE
  • Name and Email fields are optional
  • Your email will not be public, only the administrator can see it
  • You are rate limited to one comment for every 10 minutes