+17A new vulnerability in PostgreSQL was published today - CVE-2023-39418
https://www.postgresql.org/support/security/CVE-2023-39418/
All versions < 15.4 are affected.
Version 15.4 was published at August 8th 2023.
https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/
Does Veeam advise to update PostgreSQL on VBR servers to version 15.4?
Best answer by Mildur
UPDATE, August 21st, 2023:
We checked the security vulnerability. It doesn’t affect Veeam Backup & Replication.
The vulnerability affects databases with row security policies created by CREATE POLICY. Furthermore it affects only the merge command in such databases. Veeam Backup & Replication does not use row security policies or the merge command.
_________________________________________________________________________
Sure, in our user guide under requirement:
System Requirements - User Guide for VMware vSphere (veeam.com)
Local or remote installation of the following versions of PostgreSQL1:
- PostgreSQL 14.x
- PostgreSQL 15.x (PostgreSQL 15.1 is included in the Veeam Backup & Replication setup, but we strongly recommend to download and install the latest PostgreSQL 15.x version)
Personally I don’t see a huge issue with this security vulnerability. It has a low Score. And an attacker must have access to the database or the backup server. If both are protected against unauthorized access as it should be, chances to use that vulnerability are near zero.
Let me talk to our team about this one.
By the way, if you found a vulnerability in our products, components used by us or any other veeam property, please report it via our Vulnerability Report:
Submit Vulnerability Report (veeam.com)
Best,
Fabian
+21Since v12 comes with 15.1 I believe I would upgrade to 15.4. Probably a good idea.
+17To update, or not to update, that is the question… 😎
+21I would update as there have been enhancements, fixes, etc. since 15.1. 😉
+7
+12UPDATE, August 21st, 2023:
We checked the security vulnerability. It doesn’t affect Veeam Backup & Replication.
The vulnerability affects databases with row security policies created by CREATE POLICY. Furthermore it affects only the merge command in such databases. Veeam Backup & Replication does not use row security policies or the merge command.
_________________________________________________________________________
Sure, in our user guide under requirement:
System Requirements - User Guide for VMware vSphere (veeam.com)
Local or remote installation of the following versions of PostgreSQL1:
- PostgreSQL 14.x
- PostgreSQL 15.x (PostgreSQL 15.1 is included in the Veeam Backup & Replication setup, but we strongly recommend to download and install the latest PostgreSQL 15.x version)
Personally I don’t see a huge issue with this security vulnerability. It has a low Score. And an attacker must have access to the database or the backup server. If both are protected against unauthorized access as it should be, chances to use that vulnerability are near zero.
Let me talk to our team about this one.
By the way, if you found a vulnerability in our products, components used by us or any other veeam property, please report it via our Vulnerability Report:
Submit Vulnerability Report (veeam.com)
Best,
Fabian
+17😎 This is what I wanted to hear.
Thank you
+7Thanks Detective
+12Hello
We checked the security vulnerability. It doesn’t affect Veeam Backup & Replication.
The vulnerability affects databases with row security policies created by CREATE POLICY. Furthermore it affects only the merge command in such databases. Veeam Backup & Replication does not use row security policies or the merge command.
Best,
Fabian
+21Hello
We checked the security vulnerability. It doesn’t affect Veeam Backup & Replication.
The vulnerability affects databases with row security policies created by CREATE POLICY. Furthermore it affects only the merge command in such databases. Veeam Backup & Replication does not use row security policies or the merge command.
Best,
Fabian
That is great to hear Mildur thanks for the follow up. 👍
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
