JVNDB-2024-000096

Pgpool-II vulnerable to information disclosure

Pgpool-II is a cluster management tool. Pgpool-II contains an information disclosure vulnerability (CWE-213) in its query cache function.

PgPool Global Development Group reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and PgPool Global Development Group coordinated under the Information Security Early Warning Partnership.

PgPool Global Development Group

• Pgpool-II 4.5.0 to 4.5.3 (4.5 series)
• Pgpool-II 4.4.0 to 4.4.8 (4.4 series)
• Pgpool-II 4.3.0 to 4.3.11 (4.3 series)
• Pgpool-II 4.2.0 to 4.2.18 (4.2 series)
• Pgpool-II 4.1.0 to 4.1.21 (4.1 series)
• Pgpool-II All versions of 4.0 series
• Pgpool-II All versions of 3.7 series
• Pgpool-II All versions of 3.6 series
• Pgpool-II All versions of 3.5 series
• Pgpool-II All versions of 3.4 series
• Pgpool-II All versions of 3.3 series
• Pgpool-II All versions of 3.2 series

If a database user access a query cache, table data unauthorized for the user may be retrieved.

[Update the Software]
Apply the appropriate updates for the respective versions according to the information provided by the developer.
The developer has released the following versions that address the vulnerability.

* Pgpool-II 4.5.4 (4.5 series)
* Pgpool-II 4.4.9 (4.4 series)
* Pgpool-II 4.3.12 (4.3 series)
* Pgpool-II 4.2.19 (4.2 series)
* Pgpool-II 4.1.22 (4.1 series)

The developer recommends that users should upgrade the software to 4.1 series or later, as 3.2 to 4.0 series are no longer supported (End-of-Support), thus no updates/patches are provided for them.

[Apply the workaround]
Applying the following workarounds may mitigate the impact of this vulnerability.
* Stop using query cache function (memory_cache_enabled = off)

PgPool Global Development Group

• PgPool Global Development Group : PgPool Global Development Group website

1. Information Exposure(CWE-200) [IPA Evaluation]

1. CVE-2024-45624

1. JVN : JVN#67456481

• [2024/09/09]
    Web page was published