SUBJECT: CVE-2019-10211 Improper Control of Generation of Code ('Code Injection')
TECH STACK: Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24
DATE(S) ISSUED: 10/29/2019
NVD Last Modified: 10/28/2021
CRITICALITY: CRITICAL
OVERVIEW:
CVE-2019-10211 is a security vulnerability that affects the PostgreSQL Windows installer for versions before 11.5, 10.10, 9.6.15, 9.5.19, and 9.4.24.
The vulnerability lies in the bundled OpenSSL library that the installer uses. The issue is that this library executes code from an unprotected directory. This means that an attacker with access to the filesystem could potentially place malicious code in this directory, which would then be executed by the OpenSSL library. This could lead to unauthorized actions being performed, such as data theft, data corruption, or other forms of system compromise.
The vulnerability is particularly concerning because it could allow an attacker to execute arbitrary code with the permissions of the user running the PostgreSQL installer, which is often an administrator or other privileged user.
SOLUTION:
To address this vulnerability, users should upgrade to the patched versions of PostgreSQL (11.5, 10.10, 9.6.15, 9.5.19, or 9.4.24 and above). This will ensure that the OpenSSL library used by the installer does not execute code from unprotected directories. Users should also consider following general security best practices, such as restricting filesystem access to trusted users only and regularly updating all software to the latest versions to ensure all security patches are applied.
REFERENCES:
Confirmations:
- Red Hat Bugzilla CVE-2019-10211
- PostgreSQL Official News Announcement
- PostgreSQL Official Security Information for CVE-2019-10211
Third Party Advisory & Issue Tracking:
- Red Hat Bugzilla CVE-2019-10211
- PostgreSQL Official News Announcement
