Published:2023/01/23  Last Updated:2023/01/23

JVN#72418815
Pgpool-II vulnerable to information disclosure

Overview

Pgpool-II provided by PgPool Global Development Group contains an information disclosure vulnerability.

Products Affected

The following versions of Pgpool-II are affected:

  • 4.4.0 to 4.4.1 (4.4 series)
  • 4.3.0 to 4.3.4 (4.3 series)
  • 4.2.0 to 4.2.11 (4.2 series)
  • 4.1.0 to 4.1.14 (4.1 series)
  • 4.0.0 to 4.0.21 (4.0 series)
  • All versions of 3.7 series
  • All versions of 3.6 series
  • All versions of 3.5 series
  • All versions of 3.4 series
  • All versions of 3.3 series

Description

Pgpool-II is cluster management tool. Pgpool-II contains an information disclosure vulnerability (CWE-200) in its watchdog function.
Note that, only systems that meet all of the following setting requirements are affected by this vulnerability.

  • Watchdog function is enabled (use_watchdog = on)
  • "query mode" is used for the alive monitoring of watchdog (wd_lifecheck_method = 'query')
  • Plain text password is set for wd_lifecheck_password

Impact

A specific database user's authentication information may be obtained by another database user.
As a result, the information stored in the database may be altered and/or database may be suspended by an attacker who logged in with the obtained credentials.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.
The developer has released the following versions that address the vulnerability.

  • Pgpool-II 4.4.2 (4.4 series)
  • Pgpool-II 4.3.5 (4.3 series)
  • Pgpool-II 4.2.12 (4.2 series)
  • Pgpool-II 4.1.15 (4.1 series)
  • Pgpool-II 4.0.22 (4.0 series)
The developer recommends users to upgrade the software to 4.0 series or later, as 3.3 to 3.7 series are no longer supported (End-of-Support), and no updates/patches are provided for them.

Apply the workaround
Applying the following workarounds may mitigate the impacts of this vulnerability.
Pgpool-II 3.3 series to 3.7 series
  • Stop using watchdog function (use_watchdog = off)
  • Set as follows:
    • wd_lifecheck_method = 'heartbeat'
Pgpool-II 4.0 series to 4.4 series
  • Stop using watchdog function (use_watchdog = off)
  • Set as follows:
    • wd_lifecheck_method = 'heartbeat'
  • Set encrypted password with AES for wd_lifecheck_password
  • Set null characters for wd_lifecheck_password and the password to pool_passwd file

Vendor Status

Vendor Status Last Update Vendor Notes
PgPool Global Development Group Vulnerable 2023/01/23 PgPool Global Development Group website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
CVSS v2 AV:N/AC:M/Au:S/C:P/I:N/A:N
Base Score: 3.5
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Comment

"Confidentiality Impact(C)" in which the authentication information is disclosed, is evaluated as the primary impact.
"Integrity Impact(I)" and "Availability Impact(A)" are evaluated as the secondary impacts.

Credit

PgPool Global Development Group reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and PgPool Global Development Group coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2023-22332
JVN iPedia JVNDB-2023-000008