PostgreSQL Conversion Encoding Remote Denial of Service Vulnerability
Gravedad: Medio
Identificadores de CVE : CVE-2009-0922
Fecha recomendada: 01 de julio de 2011
Descripción
PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.
nvd: Per: https://bugzilla.redhat.com/show_bug.cgi?id=488156
"PostgreSQL allows remote authenticated users to cause a momentary denial
of service (crash due to stack consumption) when there is a failure to
convert a localized error message to the client-specified encoding.
In releases 8.3.6, 8.2.12, 8.1.16. 8.0.20, and 7.4.24, a trivial
misconfiguration is sufficient to provoke a crash. In older releases
it is necessary to select a locale and client encoding for which
specific messages fail to translate, and so a given installation may or
may not be vulnerable depending on the administrator-determined locale
setting.
Releases 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 are secure against
all known variants of this issue."
Revelación de la información
Trend Micro Deep Security shields networks through Deep Packet Inspection (DPI) rules. Trend Micro customers using OfficeScan with Intrusion Defense Firewall (IDF) plugin are also protected from attacks using these vulnerabilities. Please refer to the filter number and filter name when applying appropriate DPI and/or IDF rules.
Soluciones
Trend Micro Deep Security DPI Rule Number: 1000481
Trend Micro Deep Security DPI Rule Name: 1000481 - PostgreSQL Encoded String Handling SQL Command Injection
Software y versión afectados
- postgresql postgresql 7.4.24
- postgresql postgresql 8.0.20
- postgresql postgresql 8.1.16
- postgresql postgresql 8.2.12
- postgresql postgresql 8.3.6