1 min read

Mitigation Instructions for CVE-2019-10164

Mitigation Instructions for CVE-2019-10164

SUBJECT: CVE-2019-10164 Stack-based buffer overflow via setting a password

TECH STACK: PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4

DATE(S) ISSUED: 06/26/2019

NVD Last Modified: 10/02/2020

CRITICALITY: HIGH

OVERVIEW:

CVE-2019-10164 is a stack-based buffer overflow vulnerability that affects PostgreSQL versions 10.x before 10.9 and 11.x before 11.4.

In this vulnerability, any authenticated user can overflow a stack-based buffer by changing their own password to a specially crafted value. A buffer overflow occurs when more data is written to a buffer than it can handle, causing the excess data to overflow into adjacent memory spaces.

This vulnerability is particularly critical because it can often allow the execution of arbitrary code with the permissions of the PostgreSQL operating system account. Depending on the permissions of this account, an attacker could potentially take full control of the affected system, which might allow them to steal or modify data, disrupt system operation, or perform other unauthorized actions.

SOLUTION:

To mitigate this vulnerability, it is recommended to upgrade PostgreSQL to version 10.9 or later for 10.x versions and 11.4 or later for 11.x versions. These updated versions include a patch that fixes the buffer overflow issue.

Additionally, as with any system, it's a good practice to follow the principle of least privilege. This means giving each user account the minimum permissions necessary to perform its tasks. This can help to limit the potential damage if a vulnerability like this one is exploited.

REFERENCES:

Third Party Advisories:

  1. OpenSUSE Security Announcement
  2. Red Hat Bugzilla CVE-2019-10164
  3. Fedora Project Advisory 1
  4. Fedora Project Advisory 2
  5. Gentoo Security Advisory (GLSA-202003-03)
  6. PostgreSQL Official News Announcement

Confirmation & Additional Information:

  1. Red Hat Bugzilla Confirmation
  2. Fedora Project Confirmation 1
  3. Fedora Project Confirmation 2
  4. Gentoo Security Confirmation (GLSA-202003-03)
  5. PostgreSQL Official Security Information for CVE-2019-10164
  6. OpenSUSE Security Confirmation
Mitigation Instructions for CVE-2016-4437

Mitigation Instructions for CVE-2016-4437

Mitigating CVE-2016-4437: Remote Code Execution Vulnerability in Apache ActiveMQ

Read More
Mitigation Instructions for CVE-2013-1896

Mitigation Instructions for CVE-2013-1896

Mitigating CVE-2013-1896: Privilege Escalation Vulnerability in Puppet

Read More
Mitigation Instructions for CVE-2014-6271 Shellshock Vulnerability in Bash

Mitigation Instructions for CVE-2014-6271 Shellshock Vulnerability in Bash

Subject: Mitigating CVE-2014-6271: Shellshock Vulnerability in Bash

Read More