All Vulnerability Reports

CVE-2017-7485: PostgreSQL vulnerabilities


Severity

High

Description

It was discovered that the PostgreSQL client library (libpq) did not enforce the use of TLS/SSL for a connection to a PostgreSQL server when the PGREQUIRESSL environment variable was set. An man-in-the-middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.

Affected Pivotal Products and Versions

Severity is high unless otherwise noted.

  • Pivotal Greenplum 4.3.x versions prior to 4.3.14.1
Mitigation

Users of affected versions should apply the following mitigation:

  • The Cloud Foundry team recommends upgrading BOSH stemcells and/or other OSS components listed here if applicable.
  • Releases that have fixed this issue include:
    • Pivotal Greenplum: 4.3.14.1
References