CVE-2021-23214: SQL Injection
First published: Fri Nov 12 2021(Updated: )
PostgreSQL is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements when the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, which could allow the attacker to view, add, modify or delete information in the back-end database.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM QRadar SIEM | <=7.5.0 GA | |
| IBM QRadar SIEM | <=7.4.3 GA - 7.4.3 FP4 | |
| IBM QRadar SIEM | <=7.3.3 GA - 7.3.3 FP10 | |
| redhat/postgresql | <9.6.24 | 9.6.24 |
| redhat/postgresql | <10.19 | 10.19 |
| redhat/postgresql | <11.14 | 11.14 |
| redhat/postgresql | <12.9 | 12.9 |
| redhat/postgresql | <13.5 | 13.5 |
| redhat/postgresql | <14.1 | 14.1 |
| PostgreSQL PostgreSQL | <9.6.24 | |
| PostgreSQL PostgreSQL | >=10.0<10.19 | |
| PostgreSQL PostgreSQL | >=11.0<11.14 | |
| PostgreSQL PostgreSQL | >=12.0<12.9 | |
| PostgreSQL PostgreSQL | >=13.0<13.5 | |
| PostgreSQL PostgreSQL | =14.0 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Redhat Software Collections | =1.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux For Ibm Z Systems | =8.0 | |
| Redhat Enterprise Linux For Power Little Endian | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/213379
- https://www.ibm.com/support/pages/node/6574787 (Advisory)
- https://www.postgresql.org/support/security/CVE-2021-23214/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2022667
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2022673
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2022668
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2022669
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2022670
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2022671
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2022674
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2022672
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=28e24125541545483093819efae9bca603441951
- https://access.redhat.com/errata/RHSA-2021:5179
- https://access.redhat.com/errata/RHSA-2021:5197
- https://access.redhat.com/errata/RHSA-2021:5235
- https://access.redhat.com/errata/RHSA-2021:5236
- https://access.redhat.com/security/cve/cve-2021-23214
- https://access.redhat.com/errata/RHSA-2022:1830
- https://bugzilla.redhat.com/show_bug.cgi?id=2022666
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=28e24125541545483093819efae9bca603441951
- https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951
- https://security.gentoo.org/glsa/202211-04
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=28e24125541545483093819efae9bca603441951
Frequently Asked Questions
What is CVE-2021-23214?
CVE-2021-23214 is a vulnerability in PostgreSQL that allows for SQL injection attacks.
How does the vulnerability in PostgreSQL work?
The vulnerability in PostgreSQL allows a remote attacker to send specially-crafted SQL statements when the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, which could allow the attacker to view, add, modify, or delete information.
Which software versions are affected by the PostgreSQL vulnerability?
The PostgreSQL vulnerability affects IBM QRadar SIEM versions 7.5.0 GA, 7.4.3 GA - 7.4.3 FP4, and 7.3.3 GA - 7.3.3 FP10.
How severe is CVE-2021-23214?
CVE-2021-23214 has a severity rating of 8.1 (high).
How can I patch the PostgreSQL vulnerability in IBM QRadar SIEM?
To fix the PostgreSQL vulnerability in IBM QRadar SIEM, you can download the patches provided by IBM: 7.5.0-QRADAR-QRSIEM-20220215133427, 7.4.3-QRADAR-QRSIEM-20220307203834, and 7.3.3-QRADAR-QRSIEM-20220318161607.
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/author
- agent/severity
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-23214
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/tags
- agent/event
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/postgresql
- canonical/postgresql postgresql
- version/postgresql postgresql/10.0
- version/postgresql postgresql/11.0
- version/postgresql postgresql/12.0
- version/postgresql postgresql/13.0
- version/postgresql postgresql/14.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/redhat
- canonical/redhat software collections
- version/redhat software collections/1.0
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- canonical/redhat enterprise linux for ibm z systems
- version/redhat enterprise linux for ibm z systems/8.0
- canonical/redhat enterprise linux for power little endian
- version/redhat enterprise linux for power little endian/8.0
- vendor/ibm
- canonical/ibm qradar siem
- version/ibm qradar siem/7.5.0 ga
- version/ibm qradar siem/7.4.3 ga - 7.4.3 fp4
- version/ibm qradar siem/7.3.3 ga - 7.3.3 fp10