Skip to main content

A new vulnerability in PostgreSQL was published today - CVE-2023-39418
https://www.postgresql.org/support/security/CVE-2023-39418/

All versions < 15.4 are affected.

 

Version 15.4 was published at August 8th 2023.
https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/

 

Does Veeam advise to update PostgreSQL on VBR servers to version 15.4?

Since v12 comes with 15.1 I believe I would upgrade to 15.4.  Probably a good idea.


To update, or not to update, that is the question… 😎


I would update as there have been enhancements, fixes, etc. since 15.1.  😉


Thanks for heads up @JMeixner 

One for @Mildur - Does Veeam have a list of supported versions of PostgreSQL?


UPDATE, August 21st, 2023:

We checked the security vulnerability. It doesn’t affect Veeam Backup & Replication.

The vulnerability affects databases with row security policies created by CREATE POLICY. Furthermore it affects only the merge command in such databases. Veeam Backup & Replication does not use row security policies or the merge command.

 

_________________________________________________________________________

Sure, in our user guide under requirement:

System Requirements - User Guide for VMware vSphere (veeam.com)

Local or remote installation of the following versions of PostgreSQL1:

  • PostgreSQL 14.x
  • PostgreSQL 15.x (PostgreSQL 15.1 is included in the Veeam Backup & Replication setup, but we strongly recommend to download and install the latest PostgreSQL 15.x version)

 

Personally I don’t see a huge issue with this security vulnerability. It has a low Score. And an attacker must have access to the database or the backup server. If both are protected against unauthorized access as it should be, chances to use that vulnerability are near zero.

Let me talk to our team about this one.


By the way, if you found a vulnerability in our products, components used by us or any other veeam property, please report it via our Vulnerability Report:

Submit Vulnerability Report (veeam.com)

 

Best,

Fabian


😎 This is what I wanted to hear.

Thank you @Mildur 👍🏽


Thanks Detective @Mildur Knew you would have the answer 😋


Hello

 

We checked the security vulnerability. It doesn’t affect Veeam Backup & Replication.

The vulnerability affects databases with row security policies created by CREATE POLICY. Furthermore it affects only the merge command in such databases. Veeam Backup & Replication does not use row security policies or the merge command.

 

Best,

Fabian

 


Hello

 

We checked the security vulnerability. It doesn’t affect Veeam Backup & Replication.

The vulnerability affects databases with row security policies created by CREATE POLICY. Furthermore it affects only the merge command in such databases. Veeam Backup & Replication does not use row security policies or the merge command.

 

Best,

Fabian

 

That is great to hear Mildur thanks for the follow up. 👍


Comment