CVE-2012-3489: Input Validation
First published: Fri Aug 17 2012(Updated: )
An XML External Entities (XXE) attack was found in the way xmlparse routine, used for producing of xml data type value from character data, of PostgreSQL, an advanced Object-Relational database management system (DBMS), performed parsing of provided character data. An unprivileged database user could issue a specially-crafted SQL query to the PostgreSQL server that, when processed could lead to attacker's ability to read arbitrary system files, accessible with privileges of the user running the PostgreSQL server. References: [1] <a href="http://www.postgresql.org/docs/8.3/static/release-8-3-20.html">http://www.postgresql.org/docs/8.3/static/release-8-3-20.html</a> [2] <a href="http://www.postgresql.org/docs/9.0/static/release-9-0-9.html">http://www.postgresql.org/docs/9.0/static/release-9-0-9.html</a> [3] <a href="http://www.postgresql.org/docs/9.1/static/release-9-1-5.html">http://www.postgresql.org/docs/9.1/static/release-9-1-5.html</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql | <9.1.5 | 9.1.5 |
| redhat/postgresql | <9.0.9 | 9.0.9 |
| redhat/postgresql | <8.4.13 | 8.4.13 |
| redhat/postgresql | <8.3.20 | 8.3.20 |
| PostgreSQL JDBC Driver | =9.0 | |
| PostgreSQL JDBC Driver | =9.0.1 | |
| PostgreSQL JDBC Driver | =9.0.2 | |
| PostgreSQL JDBC Driver | =9.0.3 | |
| PostgreSQL JDBC Driver | =9.0.4 | |
| PostgreSQL JDBC Driver | =9.0.5 | |
| PostgreSQL JDBC Driver | =9.0.6 | |
| PostgreSQL JDBC Driver | =9.0.7 | |
| PostgreSQL JDBC Driver | =9.0.8 | |
| PostgreSQL JDBC Driver | =9.1 | |
| PostgreSQL JDBC Driver | =9.1.1 | |
| PostgreSQL JDBC Driver | =9.1.2 | |
| PostgreSQL JDBC Driver | =9.1.3 | |
| PostgreSQL JDBC Driver | =9.1.4 | |
| PostgreSQL JDBC Driver | =8.3 | |
| PostgreSQL JDBC Driver | =8.3.1 | |
| PostgreSQL JDBC Driver | =8.3.2 | |
| PostgreSQL JDBC Driver | =8.3.3 | |
| PostgreSQL JDBC Driver | =8.3.4 | |
| PostgreSQL JDBC Driver | =8.3.5 | |
| PostgreSQL JDBC Driver | =8.3.6 | |
| PostgreSQL JDBC Driver | =8.3.7 | |
| PostgreSQL JDBC Driver | =8.3.8 | |
| PostgreSQL JDBC Driver | =8.3.9 | |
| PostgreSQL JDBC Driver | =8.3.10 | |
| PostgreSQL JDBC Driver | =8.3.11 | |
| PostgreSQL JDBC Driver | =8.3.12 | |
| PostgreSQL JDBC Driver | =8.3.13 | |
| PostgreSQL JDBC Driver | =8.3.14 | |
| PostgreSQL JDBC Driver | =8.3.15 | |
| PostgreSQL JDBC Driver | =8.3.16 | |
| PostgreSQL JDBC Driver | =8.3.17 | |
| PostgreSQL JDBC Driver | =8.3.18 | |
| PostgreSQL JDBC Driver | =8.3.19 | |
| PostgreSQL JDBC Driver | =8.4 | |
| PostgreSQL JDBC Driver | =8.4.1 | |
| PostgreSQL JDBC Driver | =8.4.2 | |
| PostgreSQL JDBC Driver | =8.4.3 | |
| PostgreSQL JDBC Driver | =8.4.4 | |
| PostgreSQL JDBC Driver | =8.4.5 | |
| PostgreSQL JDBC Driver | =8.4.6 | |
| PostgreSQL JDBC Driver | =8.4.7 | |
| PostgreSQL JDBC Driver | =8.4.8 | |
| PostgreSQL JDBC Driver | =8.4.9 | |
| PostgreSQL JDBC Driver | =8.4.10 | |
| PostgreSQL JDBC Driver | =8.4.11 | |
| PostgreSQL JDBC Driver | =8.4.12 | |
| PostgreSQL | >=8.3.0<8.3.20 | |
| PostgreSQL | >=8.4.0<8.4.13 | |
| PostgreSQL | >=9.0.0<9.0.9 | |
| PostgreSQL | >=9.1.0<9.1.5 | |
| Open edX | =11.4 | |
| Open edX | =12.1 | |
| Open edX | =12.2 | |
| Apple macOS Server | >=10.7.0<=10.7.5 | |
| Apple macOS Server | =10.6.8 | |
| Ubuntu Linux | =8.04 | |
| Ubuntu Linux | =10.04 | |
| Ubuntu Linux | =11.04 | |
| Ubuntu Linux | =11.10 | |
| Ubuntu Linux | =12.04 | |
| Debian | =6.0 | |
| Red Hat Enterprise Linux Desktop | =5.0 | |
| Red Hat Enterprise Linux Desktop | =6.0 | |
| Red Hat Enterprise Linux Server EUS | =6.3 | |
| Red Hat Enterprise Linux Server | =5.0 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Workstation | =5.0 | |
| Red Hat Enterprise Linux Workstation | =6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.postgresql.org/docs/8.3/static/release-8-3-20.html
- http://www.postgresql.org/docs/9.0/static/release-9-0-9.html
- http://www.postgresql.org/docs/9.1/static/release-9-1-5.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=849174
- http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a4b0c0aaf093a015bebe83a24c183e10a66c8c39
- https://rhn.redhat.com/errata/RHSA-2012-1263.html
- https://bugzilla.redhat.com/show_bug.cgi?id=849173
- http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
- http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html
- http://rhn.redhat.com/errata/RHSA-2012-1263.html
- http://secunia.com/advisories/50635
- http://secunia.com/advisories/50718
- http://secunia.com/advisories/50859
- http://secunia.com/advisories/50946
- http://www.debian.org/security/2012/dsa-2534
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:139
- http://www.postgresql.org/about/news/1407/
- http://www.postgresql.org/docs/8.4/static/release-8-4-13.html
- http://www.postgresql.org/support/security/
- http://www.securityfocus.com/bid/55074
- http://www.ubuntu.com/usn/USN-1542-1
- https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2
Frequently Asked Questions
What is the severity of CVE-2012-3489?
CVE-2012-3489 has a medium severity rating due to its potential exploitation through XML External Entities (XXE) attacks.
How do I fix CVE-2012-3489?
To fix CVE-2012-3489, update your PostgreSQL version to at least 9.1.5, 9.0.9, or 8.4.13.
Which versions of PostgreSQL are affected by CVE-2012-3489?
CVE-2012-3489 affects PostgreSQL versions prior to 9.1.5, 9.0.9, and 8.4.13.
Can unprivileged users exploit CVE-2012-3489?
Yes, unprivileged database users can exploit CVE-2012-3489 due to improper XML parsing.
What types of attacks can CVE-2012-3489 facilitate?
CVE-2012-3489 can facilitate XML External Entities (XXE) attacks, allowing attackers to access internal files or perform server-side request forgery.
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/severity
- agent/remedy
- agent/weakness
- agent/references
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-3489
- agent/software-canonical-lookup
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- package-manager/redhat
- vendor/postgresql
- canonical/postgresql jdbc driver
- version/postgresql jdbc driver/9.0
- version/postgresql jdbc driver/9.0.1
- version/postgresql jdbc driver/9.0.2
- version/postgresql jdbc driver/9.0.3
- version/postgresql jdbc driver/9.0.4
- version/postgresql jdbc driver/9.0.5
- version/postgresql jdbc driver/9.0.6
- version/postgresql jdbc driver/9.0.7
- version/postgresql jdbc driver/9.0.8
- version/postgresql jdbc driver/9.1
- version/postgresql jdbc driver/9.1.1
- version/postgresql jdbc driver/9.1.2
- version/postgresql jdbc driver/9.1.3
- version/postgresql jdbc driver/9.1.4
- version/postgresql jdbc driver/8.3
- version/postgresql jdbc driver/8.3.1
- version/postgresql jdbc driver/8.3.2
- version/postgresql jdbc driver/8.3.3
- version/postgresql jdbc driver/8.3.4
- version/postgresql jdbc driver/8.3.5
- version/postgresql jdbc driver/8.3.6
- version/postgresql jdbc driver/8.3.7
- version/postgresql jdbc driver/8.3.8
- version/postgresql jdbc driver/8.3.9
- version/postgresql jdbc driver/8.3.10
- version/postgresql jdbc driver/8.3.11
- version/postgresql jdbc driver/8.3.12
- version/postgresql jdbc driver/8.3.13
- version/postgresql jdbc driver/8.3.14
- version/postgresql jdbc driver/8.3.15
- version/postgresql jdbc driver/8.3.16
- version/postgresql jdbc driver/8.3.17
- version/postgresql jdbc driver/8.3.18
- version/postgresql jdbc driver/8.3.19
- version/postgresql jdbc driver/8.4
- version/postgresql jdbc driver/8.4.1
- version/postgresql jdbc driver/8.4.2
- version/postgresql jdbc driver/8.4.3
- version/postgresql jdbc driver/8.4.4
- version/postgresql jdbc driver/8.4.5
- version/postgresql jdbc driver/8.4.6
- version/postgresql jdbc driver/8.4.7
- version/postgresql jdbc driver/8.4.8
- version/postgresql jdbc driver/8.4.9
- version/postgresql jdbc driver/8.4.10
- version/postgresql jdbc driver/8.4.11
- version/postgresql jdbc driver/8.4.12
- canonical/postgresql
- version/postgresql/8.3.0
- version/postgresql/8.4.0
- version/postgresql/9.0.0
- version/postgresql/9.1.0
- vendor/opensuse
- canonical/open edx
- version/open edx/11.4
- version/open edx/12.1
- version/open edx/12.2
- vendor/apple
- canonical/apple macos server
- version/apple macos server/10.7.0
- version/apple macos server/10.7.5
- version/apple macos server/10.6.8
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/8.04
- version/ubuntu linux/10.04
- version/ubuntu linux/11.04
- version/ubuntu linux/11.10
- version/ubuntu linux/12.04
- vendor/debian
- canonical/debian
- version/debian/6.0
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/5.0
- version/red hat enterprise linux desktop/6.0
- canonical/red hat enterprise linux server eus
- version/red hat enterprise linux server eus/6.3
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/5.0
- version/red hat enterprise linux server/6.0
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/5.0
- version/red hat enterprise linux workstation/6.0