JVN#72418815
Pgpool-II vulnerable to information disclosure
Overview
Pgpool-II provided by PgPool Global Development Group contains an information disclosure vulnerability.
Products Affected
The following versions of Pgpool-II are affected:
- 4.4.0 to 4.4.1 (4.4 series)
- 4.3.0 to 4.3.4 (4.3 series)
- 4.2.0 to 4.2.11 (4.2 series)
- 4.1.0 to 4.1.14 (4.1 series)
- 4.0.0 to 4.0.21 (4.0 series)
- All versions of 3.7 series
- All versions of 3.6 series
- All versions of 3.5 series
- All versions of 3.4 series
- All versions of 3.3 series
Description
Pgpool-II is cluster management tool. Pgpool-II contains an information disclosure vulnerability (CWE-200) in its watchdog function.
Note that, only systems that meet all of the following setting requirements are affected by this vulnerability.
- Watchdog function is enabled (
use_watchdog = on) - "query mode" is used for the alive monitoring of watchdog (
wd_lifecheck_method = 'query') - Plain text password is set for
wd_lifecheck_password
Impact
A specific database user's authentication information may be obtained by another database user.
As a result, the information stored in the database may be altered and/or database may be suspended by an attacker who logged in with the obtained credentials.
Solution
Update the Software
Update to the latest version according to the information provided by the developer.
The developer has released the following versions that address the vulnerability.
- Pgpool-II 4.4.2 (4.4 series)
- Pgpool-II 4.3.5 (4.3 series)
- Pgpool-II 4.2.12 (4.2 series)
- Pgpool-II 4.1.15 (4.1 series)
- Pgpool-II 4.0.22 (4.0 series)
Apply the workaround
Applying the following workarounds may mitigate the impacts of this vulnerability.
Pgpool-II 3.3 series to 3.7 series
- Stop using watchdog function (
use_watchdog = off) - Set as follows:
wd_lifecheck_method = 'heartbeat'
- Stop using watchdog function (
use_watchdog = off) - Set as follows:
wd_lifecheck_method = 'heartbeat'
- Set encrypted password with AES for
wd_lifecheck_password - Set null characters for
wd_lifecheck_passwordand the password to pool_passwd file
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| PgPool Global Development Group | Vulnerable | 2023/01/23 | PgPool Global Development Group website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Comment
"Confidentiality Impact(C)" in which the authentication information is disclosed, is evaluated as the primary impact.
"Integrity Impact(I)" and "Availability Impact(A)" are evaluated as the secondary impacts.
Credit
PgPool Global Development Group reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and PgPool Global Development Group coordinated under the Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-22332 |
| JVN iPedia |
JVNDB-2023-000008 |