Advisory Details

March 2nd, 2011

PostgreSQL Plus Advanced Server DBA Management Server Remote Authentication Bypass Vulnerability

ZDI-11-102
ZDI-CAN-996

CVE ID
CVSS SCORE 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)
AFFECTED VENDORS Postgres
AFFECTED PRODUCTS Plus SQL
VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Postgres Plus Advanced Server DBA Management Server. Authentication is not required to exploit this vulnerability.

The flaw exists within the DBA Management Server component which listens by default on TCP ports 9000 and 9363. When handling client authentication the server does not properly enforce restrictions on accessing the jmx-console or web-console directly. These consoles allow arbitrary instantiation of classes. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the server.

VENDOR RESPONSE Postgres states:

Postgres

SUBJECT: EnterpriseDB Technical Alert for Postgres Plus Advanced Server (DBA Management Server - Build 39) #20110209.01

TECHNICAL ALERT STATUS
========================

Status: Critical

Critical - this update fixes a potential security threat, a possible data corruption, calculation, search set, or other function that may lead to inaccurate results. The update should be applied at the earliest possible time as it may affect a large number of users.

Recommended - this update fixes non-critical issues that may impede general usage and require undesirable work-arounds affecting a limited number of users. The update is recommended to be applied when convenient.

Informational - this update is informational only for non-critical issues. No software update or patch needs to be applied and issues may be addressed in the field using the specified version currently installed.

WHAT IS IN THIS ALERT
=====================
This Technical Alert is notifying you of a software update that addresses the DBA Management Server module shipped with Postgres Plus Advanced Server v8.4 (8.4.x.x).

The software update contains the fix for a vulnerability that allows remote attackers to execute arbitrary code on vulnerable installations of Postgres Plus Advanced Server v8.4 DBA Management Server. The flaw existed due to a management feature in JBoss - the application server used by DBA Management Server. The default JBoss configuration does not properly enforce restrictions on accessing the jmx-console or web-console directly, when handling client authentication to the server. These consoles allow arbitrary instantiation of classes. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the server.

JBoss provides a mechanism to restrict access to these resources, which has been used to fix this vulnerability.

This update only updates the DBA Management Server files (Build 39). The core database server engine version remains unchanged.

ACKNOWLEDGEMENT
===================
Discovery of this vulnerability is credited to AbdulAziz Hariri and TippingPoints Zero Day Initiative.

IS THIS ALERT FOR ME?
====================
This alert is for customers using:

- Postgres Plus Advanced Server version: 8.4.x.x
- DBA Management Server

HOW TO GET THE UPDATE AND APPLY IT
==================================

This update is available through the Postgres Plus Advanced Server - StackBuilder Plus Module only.

Please perform the following steps in order to update your DBA Management Server for Postgres Plus Advanced Server. It is recommended that you backup your files before performing the upgrade.

1. Right-Click on the System tray icon (PostgreSQL Elephant) and select 'Install Updates'.
OR
Run StackBuilder Plus directly from the Application Menu. The update will automatically be selected and displayed in bold.

2. Click Next and choose the download directory (where the update will be downloaded).

3. The installation program will start once the download is complete.

HOW TO RESTORE THE ORIGINAL VERSION
===================================

In order to restore to the original version, run the PPAS 8.4 SP1 (8.4.5.18) meta-installer and select only the DBA Management Server in the component selection screen. This will restore the component to Build38.

TROUBLESHOOTING
=================

If you experience any problems applying the upgrade or restoring the old version after applying the upgrade, please contact Technical Support at:

Email: support@enterprisedb.com
Phone: +1-732-331-1320 or 1-800-235-5891 (US Only)
Submit a Support ticket at: http://www.enterprisedb.com/products/support/overview


DISCLOSURE TIMELINE
  • 2011-01-04 - Vulnerability reported to vendor
  • 2011-03-02 - Coordinated public release of advisory
CREDIT AbdulAziz Hariri
BACK TO ADVISORIES