Published:2024/09/09  Last Updated:2024/09/09

JVN#67456481
Pgpool-II vulnerable to information disclosure

Overview

Pgpool-II provided by PgPool Global Development Group contains an information disclosure vulnerability.

Products Affected

The following versions of Pgpool-II are affected:

  • 4.5.0 to 4.5.3 (4.5 series)
  • 4.4.0 to 4.4.8 (4.4 series)
  • 4.3.0 to 4.3.11 (4.3 series)
  • 4.2.0 to 4.2.18 (4.2 series)
  • 4.1.0 to 4.1.21 (4.1 series)
  • All versions of 4.0 series
  • All versions of 3.7 series
  • All versions of 3.6 series
  • All versions of 3.5 series
  • All versions of 3.4 series
  • All versions of 3.3 series
  • All versions of 3.2 series

Description

Pgpool-II is a cluster management tool. Pgpool-II contains an information disclosure vulnerability (CWE-213) in its query cache function.

Impact

If a database user access a query cache, table data unauthorized for the user may be retrieved.

Solution

Update the Software
Apply the appropriate updates for the respective versions according to the information provided by the developer.
The developer has released the following versions that address the vulnerability.

  • Pgpool-II 4.5.4 (4.5 series)
  • Pgpool-II 4.4.9 (4.4 series)
  • Pgpool-II 4.3.12 (4.3 series)
  • Pgpool-II 4.2.19 (4.2 series)
  • Pgpool-II 4.1.22 (4.1 series)
The developer recommends that users should upgrade the software to 4.1 series or later, as 3.2 to 4.0 series are no longer supported (End-of-Support), thus no updates/patches are provided for them.

Apply the workaround
Applying the following workarounds may mitigate the impact of this vulnerability.
  • Stop using query cache function (memory_cache_enabled = off)

Vendor Status

Vendor Status Last Update Vendor Notes
PgPool Global Development Group Vulnerable 2024/09/09 PgPool Global Development Group website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Base Score: 4.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Credit

PgPool Global Development Group reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and PgPool Global Development Group coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-45624
JVN iPedia JVNDB-2024-000096