|CVSS SCORE||10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)|
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Postgres Plus Advanced Server DBA Management Server. Authentication is not required to exploit this vulnerability.
The flaw exists within the DBA Management Server component which listens by default on TCP ports 9000 and 9363. When handling client authentication the server does not properly enforce restrictions on accessing the jmx-console or web-console directly. These consoles allow arbitrary instantiation of classes. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the server.
SUBJECT: EnterpriseDB Technical Alert for Postgres Plus Advanced Server (DBA Management Server - Build 39) #20110209.01
TECHNICAL ALERT STATUS
Critical - this update fixes a potential security threat, a possible data corruption, calculation, search set, or other function that may lead to inaccurate results. The update should be applied at the earliest possible time as it may affect a large number of users.
Recommended - this update fixes non-critical issues that may impede general usage and require undesirable work-arounds affecting a limited number of users. The update is recommended to be applied when convenient.
Informational - this update is informational only for non-critical issues. No software update or patch needs to be applied and issues may be addressed in the field using the specified version currently installed.
WHAT IS IN THIS ALERT
The software update contains the fix for a vulnerability that allows remote attackers to execute arbitrary code on vulnerable installations of Postgres Plus Advanced Server v8.4 DBA Management Server. The flaw existed due to a management feature in JBoss - the application server used by DBA Management Server. The default JBoss configuration does not properly enforce restrictions on accessing the jmx-console or web-console directly, when handling client authentication to the server. These consoles allow arbitrary instantiation of classes. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the server.
JBoss provides a mechanism to restrict access to these resources, which has been used to fix this vulnerability.
This update only updates the DBA Management Server files (Build 39). The core database server engine version remains unchanged.
IS THIS ALERT FOR ME?
- Postgres Plus Advanced Server version: 8.4.x.x
HOW TO GET THE UPDATE AND APPLY IT
This update is available through the Postgres Plus Advanced Server - StackBuilder Plus Module only.
Please perform the following steps in order to update your DBA Management Server for Postgres Plus Advanced Server. It is recommended that you backup your files before performing the upgrade.
1. Right-Click on the System tray icon (PostgreSQL Elephant) and select 'Install Updates'.
2. Click Next and choose the download directory (where the update will be downloaded).
3. The installation program will start once the download is complete.
HOW TO RESTORE THE ORIGINAL VERSION
In order to restore to the original version, run the PPAS 8.4 SP1 (220.127.116.11) meta-installer and select only the DBA Management Server in the component selection screen. This will restore the component to Build38.
If you experience any problems applying the upgrade or restoring the old version after applying the upgrade, please contact Technical Support at: