CVE-2019-10164: Critical Security Issue in PostgreSQL
Severity
High
Vendor
Pivotal Cloud Foundry
Description
PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- BOSH v268.2.x versions prior to v268.2.7
- BOSH v268.6.x versions prior to v268.6.4
- BOSH v269.0.x versions prior to v269.0.5
- Pivotal Ops Manager 2.4.x versions prior to 2.4.17
- Pivotal Ops Manager 2.5.x versions prior to 2.5.12
- Pivotal Ops Manager 2.6.x versions prior to 2.6.6
- UAA v73.x version prior to v73.4.2
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- BOSH v268.2.7
- BOSH v268.6.4
- BOSH v269.0.5
- Pivotal Ops Manager 2.4.17
- Pivotal Ops Manager 2.5.12
- Pivotal Ops Manager 2.6.6
- UAA v73.4.2
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10164
- https://www.cloudfoundry.org/blog/cve-2019-10164/
History
2019-08-20: Initial vulnerability report published.