Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    PostgreSQL is a fully featured object-relational database management system. It supports a large part of the SQL standard and is designed to be extensible by users in many aspects.  Graphical user interfaces and bindings for many programming languages are available as well.

    Earlier this month, I discovered a denial of service vulnerability in versions of PostgreSQL that caused a crash if a function was called with invalid arguments in a SQL query. In theory, one could examine the contents of the server’s memory after the crash using this vulnerability. Currently, no threats in the wild are exploiting this vulnerability.

    The following versions of PostgreSQL are vulnerable:

    • 8.3.x before 8.3.23
    • 8.4.x before 8.4.16
    • 9.0.x before 9.0.12
    • 9.1.x before 9.1.8
    • 9.2.x before 9.2.3

    The function in question is the  enum_recv function, which is not properly declared in backend/utils/adt/enum.c. The current fix bars calling the function from SQL; the declaration of the function will be fixed in a future release by PostgreSQL. The function should accept inputs of the type “internal” not as “cstring”.

    PostgreSQL has released updates to patch this vulnerability. We strongly urge administrators to update their servers to the appropriate version as soon as possible. The patched versions are:

    • 8.3.23
    • 8.4.16
    • 9.0.12
    • 9.1.8
    • 9.2.3

    In addition, the following Deep Security rule can be used to protect against this threat:

    • 1005393 – PostgreSQL “enum_recv()” Denial Of Service Vulnerability


    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    Comments are closed.


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice