Significant security flaw discovered in PostgreSQL PL/Perl
Take action: If you are running Postgres database, review this advisory in detail. The exploit does require credentials to the database, but once access is gained the rest of the exploit is not that hard. Plan to patch soon.
Learn More
A significant security vulnerability has been discovered in PostgreSQL's trusted language extension PL/Perl by Varonis researchers Tal Peleg and Coby Abrams.
The flaw is tracked as CVE-2024-10979 (CVSS score 8.8), and allows unauthorized setting of arbitrary environment variables in PostgreSQL session processes. The vulnerability enables attackers to modify sensitive environment variables (such as PATH), execute arbitrary code without operating system user access, run additional queries to gather system information or access machine and database contents
Affected Versions: All PostgreSQL versions before:
- 17.1
- 16.5
- 15.9
- 14.14
- 13.17
- 12.21
- Update PostgreSQL to the latest minor version
- Restrict allowed extensions by:
- Limiting CREATE EXTENSIONS permission grants
- Setting shared_preload_libraries configuration to load only required extensions
- Restricting CREATE FUNCTION permissions following least privilege principle
- Monitor for suspicious activity by:
- Checking DDL logs for unrecognized plperl function creation
- Searching for references to ENV hash in function code using provided SQL query
- For affected PL/Perl implementations:
- Evaluate if applications can proceed without environment modifications
- Consider switching to plperlu or alternative approaches
- Modify code to stop attempting environment modifications
- Add "untie %main::ENV" to affected functions or plperl.on_plperl_init setting if necessary
