Security updates: PostgreSQL vulnerable to malware attacks
The PostgreSQL database management system is vulnerable via several gaps. Admins should secure instances now. Support for one version is coming to an end.
(Image: AFANASEV IVAN/Shutterstock.com)
The developers have closed four software vulnerabilities in current PostgreSQl versions. In the worst case, malicious code can get onto systems and compromise them. Security updates are available. However, these are the last patches for one version.
The security vulnerabilities
In the security section of the database management systemwebsites, the developers list versions 12.21, 13.17, 14.14, 15.9, 16.5 and 17.1, which are equipped against possible attacks. The most dangerous vulnerability (CVE-2024-10979"high") affects the PL/Perl component. At this point, attackers can manipulate environment variables without authentication in order to execute malicious code.
If attackers successfully exploit the other vulnerabilities (CVE-2024-10976"medium", CVE-2024-10977"low", CVE-2024-10978"medium"), they can, among other things, connect as a man-in-the-middle.
Support expired
So far, there are no reports of ongoing attacks. Nevertheless, admins should act quickly and secure instances. The developers would like to point out that support for PostgreSQL 12 has expired and that this version will now receive security updates for the last time. Gaps that appear from now on will no longer be closed and the software can endanger systems. In order to continue to protect computers, admins must upgrade to a version that is still supported.
Videos by heise
In addition to the security updates, the developers have also reportedly fixed more than 35 bugs. Among other things, they have optimized memory usage and increased stability. The release notes can be viewed online.
(des)
