First published: Tue Sep 07 2021(Updated: )
A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.
Credit: secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/postgresql | <13.4 | 13.4 |
redhat/postgresql | <12.8 | 12.8 |
redhat/postgresql | <11.13 | 11.13 |
PostgreSQL PostgreSQL | >=11.0<11.13 | |
PostgreSQL PostgreSQL | >=12.0<12.8 | |
PostgreSQL PostgreSQL | >=13.0<13.4 | |
Redhat Virtualization | =4.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux For Ibm Z Systems | =8.0 | |
Redhat Enterprise Linux For Power Little Endian | =8.0 | |
Redhat Software Collections | =1.0 | |
Redhat Enterprise Linux | =7.0 | |
Fedoraproject Fedora | =34 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-3677 is a vulnerability found in postgresql that allows an authenticated database user to read arbitrary bytes of server memory.
CVE-2021-3677 has a severity score of 6.5, which is considered medium.
Postgresql versions 11.0 to 11.13, 12.0 to 12.8, and 13.0 to 13.4 are affected by CVE-2021-3677.
To fix CVE-2021-3677, it is recommended to update to a patched version of postgresql (11.13, 12.8, or 13.4).
You can find more information about CVE-2021-3677 on the following references: [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2001857), [Gentoo GLSA](https://security.gentoo.org/glsa/202211-04), and [NetApp Security Advisory](https://security.netapp.com/advisory/ntap-20220407-0008/).