Severity

medium

Vendor

VMware Tanzu

Versions Affected

• Canonical Ubuntu 16.04

Description

Jacob Champion discovered that PostgreSQL incorrectly handled SSL certificate verification and encryption. A remote attacker could possibly use this issue to inject arbitrary SQL queries when a connection is first established. Update Instructions: Run `sudo pro fix USN-5765-1` to fix the vulnerability. The problem can be corrected by updating your system to the following package versions: postgresql-doc-9.5 - 9.5.25-0ubuntu0.16.04.1+esm3 postgresql-plperl-9.5 - 9.5.25-0ubuntu0.16.04.1+esm3 postgresql-server-dev-9.5 - 9.5.25-0ubuntu0.16.04.1+esm3 postgresql-9.5 - 9.5.25-0ubuntu0.16.04.1+esm3 postgresql-plpython-9.5 - 9.5.25-0ubuntu0.16.04.1+esm3 libecpg6 - 9.5.25-0ubuntu0.16.04.1+esm3 postgresql-client-9.5 - 9.5.25-0ubuntu0.16.04.1+esm3 libpq5 - 9.5.25-0ubuntu0.16.04.1+esm3 postgresql-contrib-9.5 - 9.5.25-0ubuntu0.16.04.1+esm3 libpgtypes3 - 9.5.25-0ubuntu0.16.04.1+esm3 libecpg-dev - 9.5.25-0ubuntu0.16.04.1+esm3 postgresql-pltcl-9.5 - 9.5.25-0ubuntu0.16.04.1+esm3 libpq-dev - 9.5.25-0ubuntu0.16.04.1+esm3 postgresql-plpython3-9.5 - 9.5.25-0ubuntu0.16.04.1+esm3 libecpg-compat3 - 9.5.25-0ubuntu0.16.04.1+esm3 Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro

CVEs contained in this USN include: CVE-2021-23222

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

• Operations Manager
  • 2.10.x versions prior to 2.10.9

Mitigation

Users of affected products are strongly encouraged to follow the mitigation below. On the Tanzu Network product page for each release, check the Depends On section and/or Release Notes for this information. Releases that have fixed this issue include:

• Operations Manager
  • 2.10.9

References

• https://ubuntu.com/security/CVE-2021-23222
• https://ubuntu.com/security/notices/USN-5765-1

History

2023-04-12: Initial vulnerability report published.