Vulnerability CVE-2021-3677: Information

Description

A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2021-3677

Published: March 3, 2022

Modified: Jan. 31, 2023

Error type identifier: CWE-200

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
postgresql11	p10	11.13-alt1	11.22-alt0.p10.3	ALT-PU-2021-2532-1	282403	Fixed
postgresql11	p9	11.13-alt0.M90P.1	11.22-alt0.M90P.1	ALT-PU-2021-2605-1	282411	Fixed
postgresql11	p8	11.14-alt0.M80P.1	11.14-alt0.M80P.1	ALT-PU-2021-3579-1	289365	Fixed
postgresql11	c10f1	11.13-alt1	11.22-alt0.p10.1	ALT-PU-2021-2532-1	282403	Fixed
postgresql11	c9f2	11.14-alt0.M90P.1	11.22-alt0.M90P.1	ALT-PU-2021-3567-1	292243	Fixed
postgresql11-1C	p8	11.12-alt0.M80P.2	11.12-alt0.M80P.2	ALT-PU-2021-3580-1	289365	Fixed
postgresql12	sisyphus	12.8-alt1	12.19-alt3	ALT-PU-2021-2485-1	282393	Fixed
postgresql12	p10	12.8-alt1	12.19-alt0.p10.3	ALT-PU-2021-2533-1	282403	Fixed
postgresql12	p9	12.8-alt0.M90P.1	12.19-alt0.M90P.1	ALT-PU-2021-2603-1	282411	Fixed
postgresql12	p8	12.9-alt0.M80P.1	12.9-alt0.M80P.1	ALT-PU-2021-3581-1	289365	Fixed
postgresql12	c10f1	12.8-alt1	12.19-alt0.p10.1	ALT-PU-2021-2533-1	282403	Fixed
postgresql12	c9f2	12.9-alt0.M90P.1	12.18-alt0.c9f2.1	ALT-PU-2021-3600-1	292389	Fixed
postgresql12	p11	12.8-alt1	12.19-alt3	ALT-PU-2021-2485-1	282393	Fixed
postgresql12-1C	p9	12.7-alt0.M90P.2	12.19-alt0.M90P.1	ALT-PU-2021-2604-1	282411	Fixed
postgresql12-1C	c9f2	12.7-alt0.M90P.3	12.17-alt0.c9f2.2	ALT-PU-2021-3564-1	292243	Fixed
postgresql13	sisyphus	13.4-alt1	13.15-alt3	ALT-PU-2021-2482-1	282393	Fixed
postgresql13	p10	13.4-alt1	13.15-alt0.p10.3	ALT-PU-2021-2531-1	282403	Fixed
postgresql13	c10f1	13.4-alt1	13.15-alt0.p10.1	ALT-PU-2021-2531-1	282403	Fixed
postgresql13	p11	13.4-alt1	13.15-alt3	ALT-PU-2021-2482-1	282393	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=2001857	Issue Tracking Third Party Advisory
https://www.postgresql.org/support/security/CVE-2021-3677/	Vendor Advisory
https://security.netapp.com/advisory/ntap-20220407-0008/	Third Party Advisory
GLSA-202211-04	Third Party Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  13.0
  End excliding
  13.4
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  12.0
  End excliding
  12.8
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  11.0
  End excliding
  11.13
  
  Configuration 2
  cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0:*:*:*:*:*:*:*
  
  Configuration 3
  cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
  Running on/with:
  cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  
  Configuration 4
  cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Version: v24.5.3

Vulnerability CVE-2021-3677: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2

Configuration 3

Configuration 4