Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05Y2ZoLXZ4OTMtODR2ds4AAzRE
PostgresNIO processes unencrypted bytes from man-in-the-middle
Impact
Any user of PostgresNIO connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption.
The remaining text in this section is quoted verbatim from PostgreSQL's CVE-2021-23222 advisory:
If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client's intended server into making the confidential data accessible to the attacker. A known implementation having that property is a PostgreSQL configuration vulnerable to CVE-2021-23214. As with any exploitation of CVE-2021-23214, the server must be using trust authentication with a clientcert requirement or using cert authentication. To disclose a password, the client must be in possession of a password, which is atypical when using an authentication configuration vulnerable to CVE-2021-23214. The attacker must have some other way to access the server to retrieve the exfiltrated data (a valid, unprivileged login account would be sufficient).
Patches
The vulnerability is addressed in PostgresNIO versions starting from 1.14.2 via 2df54bc94607f44584ae6ffa74e3cd754fffafc7, which required additional support from SwiftNIO.
Workarounds
There are no known workarounds for unpatched users.
Additional Credits
Special thanks to PostgreSQL's Tom Lane <[email protected]> for reporting this issue!
References
- PostgreSQL security advisory for CVE-2021-23222
- GitHub security advisory GHSA-735f-7qx4-jqq5 for CVE-2021-23222
- PostgreSQL security advisory for CVE-2021-23214
- GitHub security advisory GHSA-467w-rrqc-395f for CVE-2021-23214
- SwiftNIO PR #2419 Add unprocessedBytes property on NIOSingleStepByteToMessageProcessor
- PostgresNIO commit 2df54bc94607f44584ae6ffa74e3cd754fffafc7
- PostgresNIO 1.42.2 release
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05Y2ZoLXZ4OTMtODR2ds4AAzRE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-9cfh-vx93-84vv, CVE-2023-31136
References:
- https://github.com/vapor/postgres-nio/security/advisories/GHSA-9cfh-vx93-84vv
- https://nvd.nist.gov/vuln/detail/CVE-2023-31136
- https://github.com/apple/swift-nio/pull/2419
- https://github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7
- https://github.com/advisories/GHSA-467w-rrqc-395f
- https://github.com/advisories/GHSA-735f-7qx4-jqq5
- https://github.com/vapor/postgres-nio/releases/tag/1.14.2
- https://www.postgresql.org/support/security/CVE-2021-23214/
- https://www.postgresql.org/support/security/CVE-2021-23222/
- https://github.com/advisories/GHSA-9cfh-vx93-84vv
Blast Radius: 7.9
Affected Packages
swift:github.com/vapor/postgres-nio
Dependent packages: 10Dependent repositories: 137
Downloads:
Affected Version Ranges: < 1.14.2
Fixed in: 1.14.2
All affected versions: 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.2.0, 1.2.1, 1.2.2, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.5.2, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.7.0, 1.7.1, 1.7.2, 1.8.0, 1.9.0, 1.10.0, 1.11.0, 1.11.1, 1.12.0, 1.12.1, 1.13.0, 1.14.0, 1.14.1
All unaffected versions: 1.14.2, 1.15.0, 1.16.0, 1.17.0, 1.18.0, 1.18.1, 1.19.0, 1.19.1, 1.20.0, 1.20.1, 1.20.2, 1.21.0, 1.21.1, 1.21.2, 1.21.3, 1.21.4, 1.21.5, 1.21.6, 1.22.0, 1.22.1