ZDI-11-102: PostgreSQL Plus Advanced Server DBA Management Server Remote Authentication Bypass Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-102 March 2, 2011 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Postgres -- Affected Products: Postgres Plus SQL -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Postgres Plus Advanced Server DBA Management Server. Authentication is not required to exploit this vulnerability. The flaw exists within the DBA Management Server component which listens by default on TCP ports 9000 and 9363. When handling client authentication the server does not properly enforce restrictions on accessing the jmx-console or web-console directly. These consoles allow arbitrary instantiation of classes. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the server. -- Vendor Response: Postgres states: SUBJECT: EnterpriseDB Technical Alert for Postgres Plus Advanced Server (DBA Management Server - Build 39) #20110209.01 TECHNICAL ALERT STATUS ======================== Status: Critical Critical - this update fixes a potential security threat, a possible data corruption, calculation, search set, or other function that may lead to inaccurate results. The update should be applied at the earliest possible time as it may affect a large number of users. Recommended - this update fixes non-critical issues that may impede general usage and require undesirable work-arounds affecting a limited number of users. The update is recommended to be applied when convenient. Informational - this update is informational only for non-critical issues. No software update or patch needs to be applied and issues may be addressed in the field using the specified version currently installed. WHAT IS IN THIS ALERT ===================== This Technical Alert is notifying you of a software update that addresses the DBA Management Server module shipped with Postgres Plus Advanced Server v8.4 (8.4.x.x). The software update contains the fix for a vulnerability that allows remote attackers to execute arbitrary code on vulnerable installations of Postgres Plus Advanced Server v8.4 DBA Management Server. The flaw existed due to a management feature in JBoss - the application server used by DBA Management Server. The default JBoss configuration does not properly enforce restrictions on accessing the jmx-console or web-console directly, when handling client authentication to the server. These consoles allow arbitrary instantiation of classes. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the server. JBoss provides a mechanism to restrict access to these resources, which has been used to fix this vulnerability. This update only updates the DBA Management Server files (Build 39). The core database server engine version remains unchanged. ACKNOWLEDGEMENT =================== Discovery of this vulnerability is credited to AbdulAziz Hariri and TippingPoints Zero Day Initiative. IS THIS ALERT FOR ME? ==================== This alert is for customers using: - Postgres Plus Advanced Server version: 8.4.x.x - DBA Management Server HOW TO GET THE UPDATE AND APPLY IT ================================== This update is available through the Postgres Plus Advanced Server - StackBuilder Plus Module only. Please perform the following steps in order to update your DBA Management Server for Postgres Plus Advanced Server. It is recommended that you backup your files before performing the upgrade. 1. Right-Click on the System tray icon (PostgreSQL Elephant) and select 'Install Updates'. OR Run StackBuilder Plus directly from the Application Menu. The update will automatically be selected and displayed in bold. 2. Click Next and choose the download directory (where the update will be downloaded). 3. The installation program will start once the download is complete. HOW TO RESTORE THE ORIGINAL VERSION =================================== In order to restore to the original version, run the PPAS 8.4 SP1 (8.4.5.18) meta-installer and select only the DBA Management Server in the component selection screen. This will restore the component to Build38. TROUBLESHOOTING ================= If you experience any problems applying the upgrade or restoring the old version after applying the upgrade, please contact Technical Support at: Email: support@enterprisedb.com Phone: +1-732-331-1320 or 1-800-235-5891 (US Only) Submit a Support ticket at: http://www.enterprisedb.com/products/support/overview -- Disclosure Timeline: 2011-01-04 - Vulnerability reported to vendor 2011-03-02 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi