Upstream information

CVE-2022-41946 at MITRE

Description

pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v3 Scores
  National Vulnerability Database SUSE
Base Score 4.7 5.5
Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector Local Local
Attack Complexity High Low
Privileges Required Low Low
User Interaction None None
Scope Unchanged Unchanged
Confidentiality Impact High High
Integrity Impact None None
Availability Impact None None
CVSSv3 Version 3.1 3.1
SUSE Bugzilla entry: 1206921 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
Container suse/manager/5.0/x86_64/server:latest
Image SLES15-SP4-Manager-Server-4-3
Image SLES15-SP4-Manager-Server-4-3-Azure-llc
Image SLES15-SP4-Manager-Server-4-3-Azure-ltd
Image SLES15-SP4-Manager-Server-4-3-BYOS
Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure
Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2
Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE
Image SLES15-SP4-Manager-Server-4-3-EC2-llc
Image SLES15-SP4-Manager-Server-4-3-EC2-ltd
  • postgresql-jdbc >= 42.2.25-150400.3.9.2
Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure
Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM
Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE
  • postgresql-jdbc >= 42.2.25-150300.3.11.2
SUSE Liberty Linux 8
  • postgresql-jdbc >= 42.2.14-2.el8
  • postgresql-jdbc-javadoc >= 42.2.14-2.el8
Patchnames:
RHSA-2023:2867
SUSE Liberty Linux 9
  • postgresql-jdbc >= 42.2.27-1.el9
Patchnames:
RHSA-2023:2378
SUSE Linux Enterprise High Performance Computing 15 SP4
SUSE Linux Enterprise Module for Server Applications 15 SP4
SUSE Linux Enterprise Server 15 SP4
SUSE Linux Enterprise Server for SAP Applications 15 SP4
SUSE Manager Proxy 4.3
SUSE Manager Retail Branch Server 4.3
SUSE Manager Server 4.3
  • postgresql-jdbc >= 42.2.25-150400.3.9.2
Patchnames:
SUSE-SLE-Module-Server-Applications-15-SP4-2023-103
SUSE Linux Enterprise High Performance Computing 15 SP5
SUSE Linux Enterprise Module for Server Applications 15 SP5
SUSE Linux Enterprise Server 15 SP5
SUSE Linux Enterprise Server for SAP Applications 15 SP5
  • postgresql-jdbc >= 42.2.25-150400.3.9.2
Patchnames:
SUSE Linux Enterprise Module for Server Applications 15 SP5 GA postgresql-jdbc-42.2.25-150400.3.9.2
SUSE Linux Enterprise Real Time 15 SP3
  • postgresql-jdbc >= 42.2.25-150300.3.11.2
Patchnames:
SUSE-SLE-Product-RT-15-SP3-2023-451
SUSE Linux Enterprise Server 12 SP5
SUSE Linux Enterprise Server for SAP Applications 12 SP5
  • postgresql-jdbc >= 9.4-3.9.1
Patchnames:
SUSE-SLE-SERVER-12-SP5-2023-104
SUSE Manager Server Module 4.2
  • postgresql-jdbc >= 42.2.25-150300.3.11.2
Patchnames:
SUSE-SLE-Module-SUSE-Manager-Server-4.2-2023-451
openSUSE Leap 15.4
  • postgresql-jdbc >= 42.2.25-150400.3.9.2
  • postgresql-jdbc-javadoc >= 42.2.25-150400.3.9.2
Patchnames:
openSUSE-SLE-15.4-2023-103
openSUSE Tumbleweed
  • postgresql-jdbc >= 42.2.25-4.1
  • postgresql-jdbc-javadoc >= 42.2.25-4.1
Patchnames:
openSUSE Tumbleweed GA postgresql-jdbc-42.2.25-4.1


First public cloud image revisions this CVE is fixed in:


Status of this issue by product and package

Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification. The updates are grouped by state of their lifecycle. SUSE product lifecycles are documented on the lifecycle page.

Product(s) Source package State
Products under general support and receiving all security fixes.
SUSE Enterprise Storage 7.1 postgresql-jdbc Affected
SUSE Linux Enterprise High Performance Computing 12 SP5 postgresql-jdbc Released
SUSE Linux Enterprise High Performance Computing 15 SP5 postgresql-jdbc Released
SUSE Linux Enterprise Module for Server Applications 15 SP5 postgresql-jdbc Released
SUSE Linux Enterprise Real Time 15 SP3 postgresql-jdbc Released
SUSE Linux Enterprise Server 12 SP5 postgresql-jdbc Released
SUSE Linux Enterprise Server 15 SP5 postgresql-jdbc Released
SUSE Linux Enterprise Server for SAP Applications 12 SP5 postgresql-jdbc Released
SUSE Linux Enterprise Server for SAP Applications 15 SP4 postgresql-jdbc Released
SUSE Linux Enterprise Server for SAP Applications 15 SP5 postgresql-jdbc Released
SUSE Manager Proxy 4.3 postgresql-jdbc Released
SUSE Manager Retail Branch Server 4.3 postgresql-jdbc Released
SUSE Manager Server 4.3 postgresql-jdbc Released
Products under Long Term Service Pack support and receiving important and critical security fixes.
SUSE Linux Enterprise High Performance Computing 15 SP3 postgresql-jdbc Unsupported
SUSE Linux Enterprise High Performance Computing 15 SP3-ESPOS postgresql-jdbc Affected
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS postgresql-jdbc Affected
SUSE Linux Enterprise High Performance Computing 15 SP4 postgresql-jdbc Released
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS postgresql-jdbc Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS postgresql-jdbc Affected
SUSE Linux Enterprise Module for Server Applications 15 SP3 postgresql-jdbc Unsupported
SUSE Linux Enterprise Module for Server Applications 15 SP4 postgresql-jdbc Released
SUSE Linux Enterprise Server 12 SP2-BCL postgresql-jdbc Affected
SUSE Linux Enterprise Server 15 SP3 postgresql-jdbc Unsupported
SUSE Linux Enterprise Server 15 SP3-LTSS postgresql-jdbc Affected
SUSE Linux Enterprise Server 15 SP4 postgresql-jdbc Released
SUSE Linux Enterprise Server 15 SP4-LTSS postgresql-jdbc Affected
SUSE Linux Enterprise Server Business Critical Linux 15 SP3 postgresql-jdbc Unsupported
SUSE Linux Enterprise Server for SAP Applications 15 SP3 postgresql-jdbc Unsupported
Products past their end of life and not receiving proactive updates anymore.
HPE Helion OpenStack 8 postgresql-jdbc Affected
SUSE Linux Enterprise Real Time 15 SP4 postgresql-jdbc Affected
SUSE Linux Enterprise Server 11 SP3 postgresql-jdbc Not affected
SUSE Linux Enterprise Server 11 SP3-LTSS postgresql-jdbc Not affected
SUSE Linux Enterprise Server 11 SP4 postgresql-jdbc Not affected
SUSE Linux Enterprise Server 11 SP4-LTSS postgresql-jdbc Not affected
SUSE Linux Enterprise Server 12 SP1 postgresql-jdbc Affected
SUSE Linux Enterprise Server 12 SP1-LTSS postgresql-jdbc Affected
SUSE Linux Enterprise Server 12 SP2 postgresql-jdbc Affected
SUSE Linux Enterprise Server 12 SP2-ESPOS postgresql-jdbc Affected
SUSE Linux Enterprise Server 12 SP2-LTSS postgresql-jdbc Affected
SUSE Linux Enterprise Server 12 SP3 postgresql-jdbc Affected
SUSE Linux Enterprise Server 12 SP3-BCL postgresql-jdbc Unsupported
SUSE Linux Enterprise Server 12 SP3-ESPOS postgresql-jdbc Affected
SUSE Linux Enterprise Server 12 SP3-LTSS postgresql-jdbc Affected
SUSE Linux Enterprise Server 12 SP4 postgresql-jdbc Affected
SUSE Linux Enterprise Server 12 SP4-ESPOS postgresql-jdbc Affected
SUSE Linux Enterprise Server 12 SP4-LTSS postgresql-jdbc Affected
SUSE Linux Enterprise Server 15 SP3-BCL postgresql-jdbc Affected
SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 postgresql-jdbc Affected
SUSE Linux Enterprise Server for SAP Applications 12 SP1 postgresql-jdbc Affected
SUSE Linux Enterprise Server for SAP Applications 12 SP2 postgresql-jdbc Affected
SUSE Linux Enterprise Server for SAP Applications 12 SP3 postgresql-jdbc Affected
SUSE Linux Enterprise Server for SAP Applications 12 SP4 postgresql-jdbc Affected
SUSE Manager Proxy 4.2 postgresql-jdbc Unsupported
SUSE Manager Retail Branch Server 4.2 postgresql-jdbc Unsupported
SUSE Manager Server 4.2 postgresql-jdbc Unsupported
SUSE Manager Server Module 4.1 postgresql-jdbc Unsupported
SUSE Manager Server Module 4.2 postgresql-jdbc Released
SUSE OpenStack Cloud 7 postgresql-jdbc Affected
SUSE OpenStack Cloud 8 postgresql-jdbc Affected
SUSE OpenStack Cloud 9 postgresql-jdbc Affected
SUSE OpenStack Cloud Crowbar 8 postgresql-jdbc Affected
SUSE OpenStack Cloud Crowbar 9 postgresql-jdbc Affected
openSUSE Leap 15.3 postgresql-jdbc Released
openSUSE Leap 15.4 postgresql-jdbc Released
Container Status
suse/manager/5.0/x86_64/server postgresql-jdbcReleased


SUSE Timeline for this CVE

CVE page created: Thu Nov 24 09:00:13 2022
CVE page last modified: Fri Mar 8 00:38:13 2024