CVE-2024-0985 - PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL
Suggest editsFirst Published: 2024/02/26
Last Updated: 2024/02/26
Important: This is an assessment of the impact of CVE-2024-0895 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.
Summary
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Vulnerability details
CVE-ID: CVE-2024-0985
CVSS Base Score: 8.0
CVSS Temporal Score: Undefined
CVSS Environmental Score: Undefined
CVSS Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Affected products and versions
PostgreSQL
- All versions prior to 15.6
- All versions prior to 14.11
- All versions prior to 13.14
- All versions prior to 12.18
EnterpriseDB Postgres Advanced Server (EPAS)
- All versions prior to 15.6.0
- All versions prior to 14.11.0
- All versions prior to 13.14.20
- All versions prior to 12.18.23
EnterpriseDB Postgres Extended
- All version prior to 15.6
Remediation/fixes
PostgreSQL Version Information
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| 15 | 15.6 | 2024-02-08 |
| 14 | 14.11 | 2024-02-08 |
| 13 | 13.14 | 2024-02-08 |
| 12 | 12.18 | 2024-02-08 |
EPAS Version Information
| Product | VRMF | Remediation/First Fix |
|---|---|---|
| EPAS | All versions prior to 15.6.0 | Update to latest supported version (at least 15.6.0) and patch existing clusters. |
| EPAS | All versions prior to 14.11.0 | Update to latest supported version (at least 14.11.0) and patch existing clusters. |
| EPAS | All versions prior to 13.14.20 | Update to latest supported version (at least 13.14.20) and patch existing clusters. |
| EPAS | All versions prior to 12.18.23 | Update to latest supported version (at least 12.18.23) and patch existing clusters. |
PGE Version Information
| Product | VRMF | Remediation/First Fix |
|---|---|---|
| PGE | All versions prior to 15.6.0 | Update to latest supported version (at least 15.6.0 and patch existing clusters. |
Note
The exploit referred to in this CVE did not work on PostgreSQL 16. The same defensive code as other releases has been added in PostgreSQL 16.2, EPAS 16.2 and PGE 16.2 to ensure strength in depth. We strongly recommend upgrading your PostgreSQL 16, EPAS 16 and PGE 16 deployments to these versions.
References
Related information
Acknowledgement
Source: PostgreSQL.org
Change history
- 26 Feb 2024: Published supplemental information
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
Could this page be better? Report a problem or suggest an addition!