漏洞类别:Amazon Linux
漏洞等级: 
漏洞信息
Privilege escalation flaws were found in the initialization scripts of PostgreSQL. A remote attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.( CVE-2017-12172 )
Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL can crash the server or disclose a few bytes of server memory.(CVE-2017-15098 )
QID Detection Logic:
This authenticated QID verifies if the version of the following files is lesser than:
9.2.24-1.65.amzn1: postgresql92-plperl,postgresql92-debuginfo,postgresql92-server-compat,postgresql92-plpython27,postgresql92-devel,postgresql92-server,postgresql92-libs,postgresql92-contrib,postgresql92,postgresql92-test,postgresql92-pltcl,postgresql92-plpython26,postgresql92-docs
9.4.15-1.73.amzn1: postgresql94-plpython27,postgresql94-debuginfo,postgresql94-docs,postgresql94-libs,postgresql94-devel,postgresql94-server,postgresql94-plperl,postgresql94,postgresql94-test,postgresql94-plpython26,postgresql94-contrib
9.3.20-1.69.amzn1: postgresql93-pltcl,postgresql93-test,postgresql93-plpython26,postgresql93-libs,postgresql93-server,postgresql93-docs,postgresql93-contrib,postgresql93-devel,postgresql93-debuginfo,postgresql93-plpython27,postgresql93,postgresql93-plperl
漏洞危害
Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
解决方案
Please refer to Amazon advisory ALAS-2017-931 for affected packages and patching details, or update with your package manager.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论