Skip to main content
Solved

Vulnerability in PostgerSQL < Version 15.4

JMeixner
Forum|alt.badge.img+17
  • JMeixner
  • On the path to Greatness
  • 2650 comments

A new vulnerability in PostgreSQL was published today - CVE-2023-39418
https://www.postgresql.org/support/security/CVE-2023-39418/

All versions < 15.4 are affected.

 

Version 15.4 was published at August 8th 2023.
https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/

 

Does Veeam advise to update PostgreSQL on VBR servers to version 15.4?

Best answer by Mildur

UPDATE, August 21st, 2023:

We checked the security vulnerability. It doesn’t affect Veeam Backup & Replication.

The vulnerability affects databases with row security policies created by CREATE POLICY. Furthermore it affects only the merge command in such databases. Veeam Backup & Replication does not use row security policies or the merge command.

 

_________________________________________________________________________

Sure, in our user guide under requirement:

System Requirements - User Guide for VMware vSphere (veeam.com)

Local or remote installation of the following versions of PostgreSQL1:

  • PostgreSQL 14.x
  • PostgreSQL 15.x (PostgreSQL 15.1 is included in the Veeam Backup & Replication setup, but we strongly recommend to download and install the latest PostgreSQL 15.x version)

 

Personally I don’t see a huge issue with this security vulnerability. It has a low Score. And an attacker must have access to the database or the backup server. If both are protected against unauthorized access as it should be, chances to use that vulnerability are near zero.

Let me talk to our team about this one.


By the way, if you found a vulnerability in our products, components used by us or any other veeam property, please report it via our Vulnerability Report:

Submit Vulnerability Report (veeam.com)

 

Best,

Fabian

View original
Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2024 | Veeam Certified Architect (VMCA) | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
Madi.Cristil
1 person likes this
  • Madi.Cristil
    Madi.Cristil
Did this topic help you find an answer to your question?

9 comments

Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8512 comments
  • August 11, 2023

Since v12 comes with 15.1 I believe I would upgrade to 15.4.  Probably a good idea.

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
dloseke
TylerJurgens
2 people like this
  • dloseke
    dloseke
  • TylerJurgens
    TylerJurgens
JMeixner
Forum|alt.badge.img+17
  • JMeixner
  • Author
  • On the path to Greatness
  • 2650 comments
  • August 11, 2023

To update, or not to update, that is the question… 😎

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2024 | Veeam Certified Architect (VMCA) | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
Chris.Childerhose
dloseke
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • dloseke
    dloseke
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8512 comments
  • August 11, 2023

I would update as there have been enhancements, fixes, etc. since 15.1.  😉

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech
dloseke
1 person likes this
  • dloseke
    dloseke
dips
Forum|alt.badge.img+7
  • dips
  • Veeam Legend
  • 808 comments
  • August 18, 2023

Thanks for heads up @JMeixner 

One for @Mildur - Does Veeam have a list of supported versions of PostgreSQL?

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
Mildur
Forum|alt.badge.img+12
  • Mildur
  • Influencer
  • 1035 comments
  • Answer
  • August 18, 2023

UPDATE, August 21st, 2023:

We checked the security vulnerability. It doesn’t affect Veeam Backup & Replication.

The vulnerability affects databases with row security policies created by CREATE POLICY. Furthermore it affects only the merge command in such databases. Veeam Backup & Replication does not use row security policies or the merge command.

 

_________________________________________________________________________

Sure, in our user guide under requirement:

System Requirements - User Guide for VMware vSphere (veeam.com)

Local or remote installation of the following versions of PostgreSQL1:

  • PostgreSQL 14.x
  • PostgreSQL 15.x (PostgreSQL 15.1 is included in the Veeam Backup & Replication setup, but we strongly recommend to download and install the latest PostgreSQL 15.x version)

 

Personally I don’t see a huge issue with this security vulnerability. It has a low Score. And an attacker must have access to the database or the backup server. If both are protected against unauthorized access as it should be, chances to use that vulnerability are near zero.

Let me talk to our team about this one.


By the way, if you found a vulnerability in our products, components used by us or any other veeam property, please report it via our Vulnerability Report:

Submit Vulnerability Report (veeam.com)

 

Best,

Fabian

Product Management Analyst @ Veeam Software
Chris.Childerhose
JMeixner
dips
4 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • JMeixner
    JMeixner
  • dips
    dips
  • N
    Network.Penguin
JMeixner
Forum|alt.badge.img+17
  • JMeixner
  • Author
  • On the path to Greatness
  • 2650 comments
  • August 18, 2023

😎 This is what I wanted to hear.

Thank you @Mildur 👍🏽

Jochen (Joe) Meixner | Veeam Vanguard 2024 | Veeam Legend 2021 - 2024 | Veeam Certified Architect (VMCA) | Twitter: @JoMeix | BlueSky: @jmeixner.bsky.social
Chris.Childerhose
Mildur
dips
3 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Mildur
    Mildur
  • dips
    dips
dips
Forum|alt.badge.img+7
  • dips
  • Veeam Legend
  • 808 comments
  • August 18, 2023

Thanks Detective @Mildur Knew you would have the answer 😋

Dipen N. K. | IT Security Specialist | Veeam Legend 2022 - 2025 | Cyber Security Space VUG Leader
Chris.Childerhose
Mildur
2 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Mildur
    Mildur
Mildur
Forum|alt.badge.img+12
  • Mildur
  • Influencer
  • 1035 comments
  • August 21, 2023

Hello

 

We checked the security vulnerability. It doesn’t affect Veeam Backup & Replication.

The vulnerability affects databases with row security policies created by CREATE POLICY. Furthermore it affects only the merge command in such databases. Veeam Backup & Replication does not use row security policies or the merge command.

 

Best,

Fabian

 

Product Management Analyst @ Veeam Software
Chris.Childerhose
1 person likes this
  • Chris.Childerhose
    Chris.Childerhose
Chris.Childerhose
Forum|alt.badge.img+21
  • Chris.Childerhose
  • Veeam Legend, Veeam Vanguard
  • 8512 comments
  • August 21, 2023
Mildur wrote:

Hello

 

We checked the security vulnerability. It doesn’t affect Veeam Backup & Replication.

The vulnerability affects databases with row security policies created by CREATE POLICY. Furthermore it affects only the merge command in such databases. Veeam Backup & Replication does not use row security policies or the merge command.

 

Best,

Fabian

 

That is great to hear Mildur thanks for the follow up. 👍

Chris Childerhose - VMCA2024 | VMCE2023 | VMCE-SP2024 | Veeam Vanguard 8* | Veeam Legend 5* | vExpert 6* | VCAP-DCV/VCP-DCV | Object First Ace | Cisco Champion | Twitter: @cchilderhose | Blog Site – https://just-virtualization.tech

Comment


Terms & Conditions