PostgreSQL Vulnerability in REFRESH MATERIALIZED VIEW CONCURRENTLY (CVE-2024-0985)
Question:
What is the security issue affecting PostgreSQL in UCS, and is my server affected by CVE-2024-0985?
Answer:
A security vulnerability (CVE-2024-0985) has been identified in PostgreSQL versions up to 11.21 that impacts the REFRESH MATERIALIZED VIEW CONCURRENTLY command.
The issue arises from a late privilege drop during the refresh process. An attacker who creates a specially crafted materialized view can exploit this behavior to execute arbitrary SQL functions with the privileges of the command issuer.
Impact
- The command is intended to execute as the owner of the materialized view, which should provide a safe way to refresh untrusted views.
- However, due to this flaw, a maliciously prepared view can trick a superuser or a user with suitable privileges into refreshing it, resulting in unintended execution of attacker-controlled functions.
- As part of the attack, functions may use
CREATE RULEto convert internally built temporary tables into views.
Affected Versions
- PostgreSQL 11.5.0–6…7 up to 11.21.
Fixed Version
- The issue has been resolved in PostgreSQL 11.22-0+deb10u2, released on 2024-03-27.
- The CVE has been patched with the Erratum 1004 for UCS 5.0-x.
Mitigation
- Update PostgreSQL to the fixed version via the Univention package repositories.
- If your system shows a more current version, e.g. using
univention-app info, your system should be patched - Ensure that only trusted administrators can run
REFRESH MATERIALIZED VIEW CONCURRENTLY. - Avoid executing this command on untrusted or user-provided materialized views.
References
- CVE ID: CVE-2024-0985
- Univention Bug: Bug #57175
See also: