CVE-2024-0985 - PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL

First Published: 2024/02/26

Last Updated: 2024/02/26

Important: This is an assessment of the impact of CVE-2024-0895 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.

Summary

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.

Vulnerability details

CVE-ID: CVE-2024-0985

CVSS Base Score: 8.0

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected products and versions

PostgreSQL

  • All versions prior to 15.6
  • All versions prior to 14.11
  • All versions prior to 13.14
  • All versions prior to 12.18

EnterpriseDB Postgres Advanced Server (EPAS)

  • All versions prior to 15.6.0
  • All versions prior to 14.11.0
  • All versions prior to 13.14.20
  • All versions prior to 12.18.23

EnterpriseDB Postgres Extended

  • All version prior to 15.6

Remediation/fixes

PostgreSQL Version Information

Affected VersionFixed InFix Published
1515.62024-02-08
1414.112024-02-08
1313.142024-02-08
1212.182024-02-08

EPAS Version Information

ProductVRMFRemediation/First Fix
EPASAll versions prior to 15.6.0Update to latest supported version
(at least 15.6.0) and patch existing clusters.
EPASAll versions prior to 14.11.0Update to latest supported version
(at least 14.11.0) and patch existing clusters.
EPASAll versions prior to 13.14.20Update to latest supported version
(at least 13.14.20) and patch existing clusters.
EPASAll versions prior to 12.18.23Update to latest supported version
(at least 12.18.23) and patch existing clusters.

PGE Version Information

ProductVRMFRemediation/First Fix
PGEAll versions prior to 15.6.0Update to latest supported version
(at least 15.6.0 and patch existing clusters.
Note

The exploit referred to in this CVE did not work on PostgreSQL 16. The same defensive code as other releases has been added in PostgreSQL 16.2, EPAS 16.2 and PGE 16.2 to ensure strength in depth. We strongly recommend upgrading your PostgreSQL 16, EPAS 16 and PGE 16 deployments to these versions.

References

Acknowledgement

Source: PostgreSQL.org

Change history

  • 26 Feb 2024: Published supplemental information

Disclaimer

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.


Could this page be better? Report a problem or suggest an addition!