Knowledge Base/News and Notes/Security Updates

April 4th, 2013: Action Required: PostgreSQL Security Vulnerability CVE-2013-1899 and more

Keri Meredith
posted this on April 03, 2013 09:01 AM

Updated: April 4th, 2013

This update fixes a high-exposure security vulnerability in PostgreSQL versions 9.0 and later.

Note: Your environment is not at risk; however we strongly encourage you to upgrade because this release contains several security patches and fixes. By default, Engine Yard does not open database ports to the outside world; only instances inside the same environment can use them and your application environment is locked down using AWS Security Groups.

For customers on 9.0.x: The 9.0 builds of PostgreSQL were offered exclusively through a Limited Access (alpha) program. The upgrade process for these hosts requires additional steps. You will be receiving a separate communication on this shortly. We recommend waiting until you receive this communication before proceeding with this update.

This security update contains the following sections:

  • Issue - security vulnerability summarized.
  • Solution - the recommended solution for most cases.
  • FAQs - frequently asked questions.
  • More information - helpful links related to this security vulnerability.

Tip: To stay up to date on:

  • All Engine Yard security-related issues, subscribe to the Security Updates forum.
  • Upcoming releases, subscribe to the Release Notes forum.
  • This particular issue, subscribe to this article by clicking the Subscribe link in the upper right.

If you need help with subscribing, see this article.

Issues

The PostgreSQL Global Development Group released a security fix April 4th, 2013 for all versions of the database: http://www.postgresql.org/about/news/1456/.

CVE-2013-1899

Connection request can damage files. This vulnerability has been assigned the CVE identifier CVE-2013-1899.

Versions Affected: All 9.0 and later.

Fixed Versions: 9.2.4 and 9.1.9 and 9.0.13.

CVE-2013-1900

Random numbers are easy to guess. This vulnerability has been assigned the CVE identifier CVE-2013-1900.

Versions Affected: All 9.0 and later.

Fixed Versions: 9.2.4 and 9.1.9 and 9.0.13.

CVE-2013-1901

Unprivileged user can interfere with backups. This vulnerability has been assigned the CVE identifier CVE-2013-1901.

Versions Affected: All 9.0 and later.

Fixed Versions: 9.2.4 and 9.1.9 and 9.0.13.

CVE-2013-1902

Insecure passwords in a script. This vulnerability has been assigned the CVE identifier CVE-2013-1902.

Versions Affected: All 9.0 and later.

Fixed Versions: 9.2.4 and 9.1.9 and 9.0.13.

CVE-2013-1903

Predictable filenames in /tmp directory. This vulnerability has been assigned the CVE identifier CVE-2013-1903.

Versions Affected: All 9.0 and later.

Fixed Versions: 9.2.4 and 9.1.9 and 9.0.13.

Solution

Important notes:

  • You must upgrade your stack to receive the latest secured version of the database (April 4th, 2013 or later).
  • You should always test in a staging environment first before you update your production environment.
  • It is best practice to back up (or snapshot) your database. See Back Up the Database for more information.

To upgrade your stack and database

  1. Put up the maintenance page.
  2. Upgrade to the latest cookbook (April 4th, 2013 or later).
  3. SSH into each database instance to restart the process. Starting with the db_master, restart your server using the version-appropriate init.d script. For example ...

    If you are running 9.2.x then:

    sudo /etc/init.d/postgresql-9.2 restart
  4. Test the connection to the server:

    psql -U deploy <dbname>
  5. Restart Unicorn / Passenger instances and any other services that use the database.
  6. Take down the maintenance page.

FAQs

How can I tell which versions I have now?

You can verify the PostgreSQL version by going to the Environment page, More Options section, then click Edit Environment. Scroll down to see the version of PostgreSQL. You need to know if it is 9.2.x, or 9.1.x, or 9.0.x. Or you can [select version();] from your PostgreSQL shell.

Note: Check each app environment if you have multiple versions of PostgreSQL running in various environments.

How long will it take to back up my database?

That's entirely dependent upon the size and contents of your database. If you test using production data in a staging environment first, and you have verified the results in staging, then you can skip the backup step for the production environment.

More information

For more information about ...See ...

PostgreSQL 9.2.4, 9.1.9, 9.0.13 and 8.4.17 released - announcement.

http://www.postgresql.org/about/news/1456/

Stack upgrade for Engine Yard Cloud cookbooks that addresses vulnerabilities above.

April 2013 Release Notes

Complete PostgreSQL security info - summary page maintained by the PostgreSQL Global Development Group (PGDG).

http://www.postgresql.org/support/security/

If you have feedback or questions about this page, add a comment below. If you need help, submit a ticket with Engine Yard Support.