A high-severity security vulnerability, identified as CVE-2024-10979, has been discovered in PostgreSQL, a widely used open-source relational database management system. This flaw allows unprivileged users to manipulate environment variables, which could lead to arbitrary code execution or information disclosure. The issue stems from incorrect control of environment variables in PostgreSQL’s PL/Perl, an extension used for integrating Perl scripts with the database. The vulnerability has been assigned a CVSS score of 8.8, indicating its potential for significant impact on affected systems.
Environment variables are essential for the dynamic configuration of software applications, as they can store sensitive data such as access keys or paths to important files. In the case of PostgreSQL, the flaw allows attackers to modify variables like the PATH, which could enable them to execute malicious code on the database server. This type of vulnerability is particularly dangerous because it does not require elevated privileges or access to the server’s operating system. A skilled attacker could exploit this flaw to gain unauthorized control over the database environment, posing severe risks to system security.
PostgreSQL has addressed the issue in several recent releases, including versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. These updates contain patches that mitigate the risk of exploitation. The researchers from Varonis, who discovered the flaw, emphasized that the vulnerability could lead to severe security breaches, such as the execution of arbitrary code or extraction of sensitive data from the machine. They also highlighted the potential for lateral movement within the compromised network, further amplifying the threat’s scope.
To protect against this vulnerability, PostgreSQL users are strongly advised to update to the latest versions of the software. Additionally, it is recommended to restrict permissions related to extensions, such as limiting CREATE EXTENSIONS to trusted extensions only. Database administrators should also configure PostgreSQL to load only the necessary extensions and enforce the principle of least privilege when assigning function creation permissions. By applying these security measures, organizations can reduce their exposure to this critical vulnerability and strengthen the overall security of their PostgreSQL environments.
