[Japanese]

JVNDB-2023-000008

Pgpool-II vulnerable to information disclosure

Overview

Pgpool-II is cluster management tool. Pgpool-II contains an information disclosure vulnerability (CWE-200) in its watchdog function.
Note that, only systems that meet all of the following setting requirements are affected by this vulnerability.

  • Watchdog function is enabled (use_watchdog = on)
  • "query mode" is used for the alive monitoring of watchdog (wd_lifecheck_method = 'query')
  • Plain text password is set for wd_lifecheck_password

PgPool Global Development Group reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and PgPool Global Development Group coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 3.5 (Low) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


PgPool Global Development Group
  • Pgpool-II 4.4.0 to 4.4.1 (4.4 series)
  • Pgpool-II 4.3.0 to 4.3.4 (4.3 series)
  • Pgpool-II 4.2.0 to 4.2.11 (4.2 series)
  • Pgpool-II 4.1.0 to 4.1.14 (4.1 series)
  • Pgpool-II 4.0.0 to 4.0.21 (4.0 series)
  • Pgpool-II All versions of 3.7 series
  • Pgpool-II All versions of 3.6 series
  • Pgpool-II All versions of 3.5 series
  • Pgpool-II All versions of 3.4 series
  • Pgpool-II All versions of 3.3 series

Impact

A specific database user's authentication information may be obtained by another database user.
As a result, the information stored in the database may be altered and/or database may be suspended by an attacker who logged in with the obtained credentials.
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
The developer has released the following versions that address the vulnerability.

  • Pgpool-II 4.4.2 (4.4 series)
  • Pgpool-II 4.3.5 (4.3 series)
  • Pgpool-II 4.2.12 (4.2 series)
  • Pgpool-II 4.1.15 (4.1 series)
  • Pgpool-II 4.0.22 (4.0 series)

The developer recommends users to upgrade the software to 4.0 series or later, as 3.3 to 3.7 series are no longer supported (End-of-Support), and no updates/patches are provided for them.

[Apply the workaround]
Applying the following workarounds may mitigate the impacts of this vulnerability.
Pgpool-II 3.3 series to 3.7 series

  • Stop using watchdog function (use_watchdog = off)
  • Set as follows: wd_lifecheck_method = 'heartbeat'

Pgpool-II 4.0 series to 4.4 series

  • Stop using watchdog function (use_watchdog = off)
  • Set as follows: wd_lifecheck_method = 'heartbeat'
  • Set encrypted password with AES for wd_lifecheck_password
  • Set null characters for wd_lifecheck_password and the password to pool_passwd file
Vendor Information

PgPool Global Development Group
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-22332
References

  1. JVN : JVN#72418815
  2. National Vulnerability Database (NVD) : CVE-2023-22332
Revision History

  • [2023/01/23]
      Web page was published
  • [2024/06/20]
      References : Content was added