CVE-2017-7485: PostgreSQL vulnerabilities
It was discovered that the PostgreSQL client library (libpq) did not enforce the use of TLS/SSL for a connection to a PostgreSQL server when the PGREQUIRESSL environment variable was set. An man-in-the-middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- Pivotal Greenplum 4.3.x versions prior to 220.127.116.11
Users of affected versions should apply the following mitigation:
- The Cloud Foundry team recommends upgrading BOSH stemcells and/or other OSS components listed here if applicable.
- Releases that have fixed this issue include:
- Pivotal Greenplum: 18.104.22.168