Security Advisory for PostgreSQL Vulnerability CVE 2024-7348

Following the publication of CVE-2024-7348, NetApp began investigating its potential impact on our Instaclustr Managed PostgreSQL® offering.

This CVE identified an issue where replacing a relation type with a view or foreign table allows the user to execute arbitrary SQL functions by causing a race condition in the pg_dump command. The Base CVSS (Common Vulnerability Scoring System) v3.1 Score for this vulnerability by the NVD (National Vulnerability Database) is 8.8 (HIGH). All versions prior to PostgreSQL 16.4, 15.8 ,14.13, 13.16, and 12.20 are affected.

Impact Analysis

NetApp performed an investigation into this vulnerability and its potential impact on customers of our Managed PostgreSQL Service and assessed its severity rating as Base CVSS v3.1 Score 8.0 (HIGH). The basis for this assessment are listed below:

• Exploit of this vulnerability will allow an attacker to execute arbitrary SQL functions with escalated privileges leading to unauthorized access (add/modify/remove) to sensitive data.
• A successful attacker is required to have network access to the host running a vulnerable PostgreSQL version and also win a pg_dump race condition.
• The risk of this vulnerability is reduced by Instaclustr’s network access control mechanisms which require an attacker to be under the same VPC as the vulnerable host in order to exploit the vulnerability – refer to https://www.instaclustr.com/blog/instaclustr-security-features-overview/.

Mitigation approaches

Based on the details above, NetApp recommends the following actions for customers of our managed PostgreSQL service:

• Review the access permissions of your PostgreSQL clusters to ensure that access is restricted to the minimum permissions sets, IP addresses, and trusted clients. You can find information about how to manage PostgreSQL users, ACLs, and firewall rules in the documentation section on our website.
• Review the usage of and avoid running pg_dump with unnecessary privileges.

NetApp Response

• PostgreSQL versions 16.4, 15.8 and 14.13 contain the fixes to these vulnerabilities.
• The fixed versions have been made available by the PostgreSQL Global Development Group and our development team is now building and testing them to be ready for release on the Managed Platform.
• To ensure these fixes are delivered to all PostgreSQL clusters on our Managed Service, our support team will proactively patch existing clusters as soon as the new images are ready to be installed. We anticipate that affected clusters will be patched by late September.
• This patch will occur outside the regular quarterly patching cycle and our Technical Operations Team will be in touch soon to inform you of when the patch will be applied.
• We will mark older PostgreSQL versions as Closed and subsequently Retired once customer clusters have been upgraded in accordance with our lifecycle policy.
• We recommend that our support customers upgrade to a version of PostgreSQL fixed for this vulnerability – 16.4, 15.8, 14.13, 13.16 or 12.20 depending on the major version being run.