Executive Summary

Summary
Title Sun Alert 258808 Security Vulnerability in PostgreSQL Shipped with Solaris may Allow a Denial of Service (DoS)
Informations
Name SUN-258808 First vendor Publication 2009-05-13
Vendor Sun Last vendor Modification 2010-01-21
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Cvss Base Score 4 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Product: Solaris 10, OpenSolaris

Security vulnerability affecting the PostgreSQL software shipped withSolaris may allow an authenticated PostgreSQL users to cause a Denialof Service (DoS) to the PostgreSQL server (due to stack consumption).

This issue is described in the following documents:

Official PostgreSQL announcement at:
CVE-2009-0922 at:
State: Resolved
First released: 13-May-2009

Original Source

Url : http://blogs.sun.com/security/entry/sun_alert_258808_security_vulnerability

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-399 Resource Management Errors

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10874
 
Oval ID: oval:org.mitre.oval:def:10874
Title: PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.
Description: PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.
Family: unix Class: vulnerability
Reference(s): CVE-2009-0922
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:13288
 
Oval ID: oval:org.mitre.oval:def:13288
Title: USN-753-1 -- postgresql-8.1, postgresql-8.3 vulnerability
Description: It was discovered that PostgreSQL did not properly handle encoding conversion failures. An attacker could exploit this by sending specially crafted requests to PostgreSQL, leading to a denial of service.
Family: unix Class: patch
Reference(s): USN-753-1
CVE-2009-0922
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 6.06
Ubuntu 8.10
Product(s): postgresql-8.1
postgresql-8.3
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:6252
 
Oval ID: oval:org.mitre.oval:def:6252
Title: Security Vulnerability in PostgreSQL Shipped with Solaris may Allow a Denial of Service (DoS)
Description: PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.
Family: unix Class: vulnerability
Reference(s): CVE-2009-0922
Version: 1
Platform(s): Sun Solaris 10
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 5

OpenVAS Exploits

Date Description
2012-02-12 Name : Gentoo Security Advisory GLSA 201110-22 (postgresql-server postgresql-base)
File : nvt/glsa_201110_22.nasl
2011-08-09 Name : CentOS Update for postgresql CESA-2009:1484 centos5 i386
File : nvt/gb_CESA-2009_1484_postgresql_centos5_i386.nasl
2011-08-09 Name : CentOS Update for postgresql CESA-2009:1484 centos4 i386
File : nvt/gb_CESA-2009_1484_postgresql_centos4_i386.nasl
2009-10-13 Name : RedHat Security Advisory RHSA-2009:1484
File : nvt/RHSA_2009_1484.nasl
2009-10-13 Name : SLES10: Security update for PostgreSQL
File : nvt/sles10_postgresql.nasl
2009-10-13 Name : CentOS Security Advisory CESA-2009:1484 (postgresql)
File : nvt/ovcesa2009_1484.nasl
2009-10-11 Name : SLES11: Security update for PostgreSQL
File : nvt/sles11_postgresql.nasl
2009-10-10 Name : SLES9: Security update for PostgreSQL
File : nvt/sles9p5047220.nasl
2009-09-15 Name : Fedora Core 10 FEDORA-2009-9474 (postgresql)
File : nvt/fcore_2009_9474.nasl
2009-06-05 Name : RedHat Security Advisory RHSA-2009:1067
File : nvt/RHSA_2009_1067.nasl
2009-06-05 Name : Ubuntu USN-776-2 (kvm)
File : nvt/ubuntu_776_2.nasl
2009-04-28 Name : SuSE Security Summary SUSE-SR:2009:009
File : nvt/suse_sr_2009_009.nasl
2009-04-24 Name : PostgreSQL Conversion Encoding Remote Denial of Service Vulnerability
File : nvt/postgresql_cve_2009_0922.nasl
2009-04-15 Name : Ubuntu USN-753-1 (postgresql-8.3)
File : nvt/ubuntu_753_1.nasl
2009-03-31 Name : Fedora Core 10 FEDORA-2009-2959 (postgresql)
File : nvt/fcore_2009_2959.nasl
2009-03-31 Name : Mandrake Security Advisory MDVSA-2009:079 (postgresql)
File : nvt/mdksa_2009_079.nasl
2009-03-31 Name : Fedora Core 9 FEDORA-2009-2927 (postgresql)
File : nvt/fcore_2009_2927.nasl
2009-03-26 Name : PostgreSQL Denial of Service Vulnerability (Linux)
File : nvt/secpod_postgresql_dos_vuln_lin.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
54512 PostgreSQL Client-specific Encoding Localized Error Message Conversion DoS

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2009-1484.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20091007_postgresql_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2011-10-25 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201110-22.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2009-1484.nasl - Type : ACT_GATHER_INFO
2009-10-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2009-1484.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_postgresql-6114.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_postgresql-090324.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 9 host is missing a security-related patch.
File : suse9_12383.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_1_postgresql-090324.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_postgresql-090324.nasl - Type : ACT_GATHER_INFO
2009-06-28 Name : The remote host is missing Sun Security Patch number 138826-12
File : solaris10_138826.nasl - Type : ACT_GATHER_INFO
2009-06-28 Name : The remote host is missing Sun Security Patch number 138827-12
File : solaris10_x86_138827.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-753-1.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2009-079.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Fedora host is missing a security update.
File : fedora_2009-2959.nasl - Type : ACT_GATHER_INFO
2009-04-16 Name : The remote openSUSE host is missing a security update.
File : suse_postgresql-6115.nasl - Type : ACT_GATHER_INFO
2009-03-24 Name : The remote Fedora host is missing a security update.
File : fedora_2009-2927.nasl - Type : ACT_GATHER_INFO
2008-02-05 Name : The remote host is missing Sun Security Patch number 136999-10
File : solaris10_x86_136999.nasl - Type : ACT_GATHER_INFO
2008-02-05 Name : The remote host is missing Sun Security Patch number 136998-10
File : solaris10_136998.nasl - Type : ACT_GATHER_INFO
2007-03-18 Name : The remote host is missing Sun Security Patch number 123591-12
File : solaris10_x86_123591.nasl - Type : ACT_GATHER_INFO
2007-03-18 Name : The remote host is missing Sun Security Patch number 123590-12
File : solaris10_123590.nasl - Type : ACT_GATHER_INFO