Amazon Linux AMI 2: CVE-2024-10976: Security patch for libpq, postgresql (Multiple Advisories)

Amazon Linux AMI 2: CVE-2024-10976: Security patch for libpq, postgresql (Multiple Advisories)

Severity

4

CVSS

(AV:L/AC:M/Au:N/C:P/I:P/A:P)

Published

11/14/2024

Created

12/21/2024

Added

12/20/2024

Modified

02/14/2025

Description

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended.CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes.They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy.This has the same consequences as the two earlier CVEs.That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles.This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs.Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications.This affects only databases that have used CREATE POLICY to define a row security policy.An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies.Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Solution(s)

• amazon-linux-ami-2-upgrade-libpq
• amazon-linux-ami-2-upgrade-libpq-debuginfo
• amazon-linux-ami-2-upgrade-libpq-devel
• amazon-linux-ami-2-upgrade-postgresql
• amazon-linux-ami-2-upgrade-postgresql-contrib
• amazon-linux-ami-2-upgrade-postgresql-debuginfo
• amazon-linux-ami-2-upgrade-postgresql-docs
• amazon-linux-ami-2-upgrade-postgresql-llvmjit
• amazon-linux-ami-2-upgrade-postgresql-plperl
• amazon-linux-ami-2-upgrade-postgresql-plpython3
• amazon-linux-ami-2-upgrade-postgresql-pltcl
• amazon-linux-ami-2-upgrade-postgresql-private-devel
• amazon-linux-ami-2-upgrade-postgresql-private-libs
• amazon-linux-ami-2-upgrade-postgresql-server
• amazon-linux-ami-2-upgrade-postgresql-server-devel
• amazon-linux-ami-2-upgrade-postgresql-static
• amazon-linux-ami-2-upgrade-postgresql-test
• amazon-linux-ami-2-upgrade-postgresql-test-rpm-macros
• amazon-linux-ami-2-upgrade-postgresql-upgrade
• amazon-linux-ami-2-upgrade-postgresql-upgrade-devel

References

• https://attackerkb.com/topics/cve-2024-10976
• AL2/ALASPOSTGRESQL13-2024-008
• AL2/ALASPOSTGRESQL14-2024-014
• AL2/ALASPOSTGRESQL14-2024-015
• CVE - 2024-10976