CVE-2021-3677: Infoleak
First published: Tue Sep 07 2021(Updated: )
A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql | <13.4 | 13.4 |
| redhat/postgresql | <12.8 | 12.8 |
| redhat/postgresql | <11.13 | 11.13 |
| PostgreSQL JDBC Driver | >=11.0<11.13 | |
| PostgreSQL JDBC Driver | >=12.0<12.8 | |
| PostgreSQL JDBC Driver | >=13.0<13.4 | |
| Red Hat Enterprise Virtualization | =4.0 | |
| Red Hat Enterprise Linux | =8.0 | |
| redhat enterprise Linux for ibm z systems | =8.0 | |
| redhat enterprise Linux for power little endian | =8.0 | |
| redhat software collections | =1.0 | |
| Red Hat Enterprise Linux | =7.0 | |
| Fedora | =34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=2001857
- https://security.gentoo.org/glsa/202211-04
- https://security.netapp.com/advisory/ntap-20220407-0008/
- https://www.postgresql.org/support/security/CVE-2021-3677/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2001858
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2001864
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2001859
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2001860
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2001861
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2001862
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2001863
- https://access.redhat.com/errata/RHSA-2021:5179
- https://access.redhat.com/errata/RHSA-2021:5197
- https://access.redhat.com/errata/RHSA-2021:5235
- https://access.redhat.com/errata/RHSA-2021:5236
- https://access.redhat.com/errata/RHSA-2022:4931
- https://access.redhat.com/security/cve/cve-2021-3677
Frequently Asked Questions
What is CVE-2021-3677?
CVE-2021-3677 is a vulnerability found in postgresql that allows an authenticated database user to read arbitrary bytes of server memory.
How severe is CVE-2021-3677?
CVE-2021-3677 has a severity score of 6.5, which is considered medium.
Who is affected by CVE-2021-3677?
Postgresql versions 11.0 to 11.13, 12.0 to 12.8, and 13.0 to 13.4 are affected by CVE-2021-3677.
How can I fix CVE-2021-3677?
To fix CVE-2021-3677, it is recommended to update to a patched version of postgresql (11.13, 12.8, or 13.4).
Where can I find more information about CVE-2021-3677?
You can find more information about CVE-2021-3677 on the following references: [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2001857), [Gentoo GLSA](https://security.gentoo.org/glsa/202211-04), and [NetApp Security Advisory](https://security.netapp.com/advisory/ntap-20220407-0008/).
- agent/type
- agent/author
- agent/weakness
- agent/references
- agent/severity
- agent/description
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3677
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/postgresql
- canonical/postgresql jdbc driver
- version/postgresql jdbc driver/11.0
- version/postgresql jdbc driver/12.0
- version/postgresql jdbc driver/13.0
- vendor/redhat
- canonical/red hat enterprise virtualization
- version/red hat enterprise virtualization/4.0
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- canonical/redhat enterprise linux for ibm z systems
- version/redhat enterprise linux for ibm z systems/8.0
- canonical/redhat enterprise linux for power little endian
- version/redhat enterprise linux for power little endian/8.0
- canonical/redhat software collections
- version/redhat software collections/1.0
- version/red hat enterprise linux/7.0
- vendor/fedoraproject
- canonical/fedora
- version/fedora/34