1 min read

Mitigation Instructions for CVE-2019-10164

Picture of CyRisk Vulnerability Management Team CyRisk Vulnerability Management Team : May 15, 2023 3:26:32 PM

Mitigation Instructions for CVE-2019-10164

SUBJECT: CVE-2019-10164 Stack-based buffer overflow via setting a password

TECH STACK: PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4

DATE(S) ISSUED: 06/26/2019

NVD Last Modified: 10/02/2020

CRITICALITY: HIGH

OVERVIEW:

CVE-2019-10164 is a stack-based buffer overflow vulnerability that affects PostgreSQL versions 10.x before 10.9 and 11.x before 11.4.

In this vulnerability, any authenticated user can overflow a stack-based buffer by changing their own password to a specially crafted value. A buffer overflow occurs when more data is written to a buffer than it can handle, causing the excess data to overflow into adjacent memory spaces.

This vulnerability is particularly critical because it can often allow the execution of arbitrary code with the permissions of the PostgreSQL operating system account. Depending on the permissions of this account, an attacker could potentially take full control of the affected system, which might allow them to steal or modify data, disrupt system operation, or perform other unauthorized actions.

SOLUTION:

To mitigate this vulnerability, it is recommended to upgrade PostgreSQL to version 10.9 or later for 10.x versions and 11.4 or later for 11.x versions. These updated versions include a patch that fixes the buffer overflow issue.

Additionally, as with any system, it's a good practice to follow the principle of least privilege. This means giving each user account the minimum permissions necessary to perform its tasks. This can help to limit the potential damage if a vulnerability like this one is exploited.

REFERENCES:

Third Party Advisories:

  1. OpenSUSE Security Announcement
  2. Red Hat Bugzilla CVE-2019-10164
  3. Fedora Project Advisory 1
  4. Fedora Project Advisory 2
  5. Gentoo Security Advisory (GLSA-202003-03)
  6. PostgreSQL Official News Announcement

Confirmation & Additional Information:

  1. Red Hat Bugzilla Confirmation
  2. Fedora Project Confirmation 1
  3. Fedora Project Confirmation 2
  4. Gentoo Security Confirmation (GLSA-202003-03)
  5. PostgreSQL Official Security Information for CVE-2019-10164
  6. OpenSUSE Security Confirmation
Mitigation Instructions for Adobe ColdFusion CVE-2023-29300

Mitigation Instructions for Adobe ColdFusion CVE-2023-29300

Picture of CyRisk Vulnerability Management Team CyRisk Vulnerability Management Team: Mar 8, 2024 2:53:16 PM

SUBJECT: CVE-2023-29300: Adobe ColdFusion Deserialization of Untrusted Data Vulnerability - Detailed Mitigation Guide

security
Read More
Mitigation Instructions for Microsoft Exchange Server CVE-2024-21410

Mitigation Instructions for Microsoft Exchange Server CVE-2024-21410

Picture of CyRisk Vulnerability Management Team CyRisk Vulnerability Management Team: Mar 8, 2024 2:50:55 PM

SUBJECT: Critical Exchange Server Elevation of Privilege Vulnerability (CVE-2024-21410)

security
Read More
Mitigation Instructions for Cisco ASA and FTD CVE-2020-3259

Mitigation Instructions for Cisco ASA and FTD CVE-2020-3259

Picture of CyRisk Vulnerability Management Team CyRisk Vulnerability Management Team: Mar 8, 2024 2:50:45 PM

SUBJECT: Mitigate Cisco ASA and FTD Information Disclosure Vulnerability (CVE-2020-3259)

security
Read More