EnterpriseDB · djw-m · Nov 14, 2024 · Nov 14, 2024 · Nov 14, 2024
@@ -0,0 +1,82 @@
+---  
+title: CVE-2020-10531 - Integer overflow in ICU doAppend() 
+navTitle: CVE-2020-10531
+affectedProducts: All versions of EDB Postgres Advanced Server from 13 through 16
+---
+
+First Published: 2024/11/14
+
+Last Updated: 2024/11/14
+
+## Important
+
+This is an assessment of the impact of CVE-2020-10531 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.
+
+## Summary
+
+The original vulnerability was an integer overflow leading to a heap-based buffer overflow in `UnicodeString::doAppend()` in ICU (International Components for Unicode) for C/C++ which existed up to (and including) version 66.1.
+
+In the process of validating EDB Postgres Advanced Server 17, a release check identified the presence of a pre 67.1 version of the library being used.
+
+It had been believed that existing versions of EPAS had been built with a later library version. 
+
+While most EDB software builds against the operating system provided version of ICU, EDB Postgres Advanced Server can include EDB’s own build of ICU 66.1, specifically on RHEL7 on x86\_64/PPCLE, RHEL8 on x86\_64/PPCLE, SLES 12  x86\_64/PPCLE/s390x, and SLES 15 x86\_64/PPCLE/s390x. On RHEL9, the OS supplied library (version 67.1) is used.
+
+EDB Postgres Extended and Postgres use the OS supplied ICU libraries, and are not affected by this vulnerability.
+
+It has been established that EDB’s code does not use the vulnerable function.  
+Assessment and mitigation: In the interests of ensuring that the vulnerable library doesn’t provide any surface for an attacker, we are releasing updated versions of all affected products.
+
+## Vulnerability Details
+
+CVE-ID:  [CVE-2020-10531](https://nvd.nist.gov/vuln/detail/CVE-2020-10531)
+
+CVSS Base Score: 8.8
+
+CVSS Temporal Score: Undefined
+
+CVSS Environmental Score: Undefined 
+
+CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
+
+## Affected Products and Versions
+
+### EnterpriseDB Postgres Advanced Server
+
+On RHEL 7/8 (x86_64/PPCLE) and SLES 12/15 (x86_64/PPCLE/s390x)
+
+* All versions of EPAS prior to 16.5.0
+* All versions of EPAS prior to 15.9.0
+* All versions of EPAS prior to 14.14.0  
+* All versions of EPAS prior to 13.17.0
+
+## Remediation
+
+### EDB Postgres Advanced Server Version Information
+
+| Product | VRMF    | Remediation/First Fix |
+|:--------|:--------|:----------------------|
+| EPAS 16 | 16.4.0  | Upgrade to 16.5.0     |
+| EPAS 15 | 15.8.0  | Upgrade to 15.9.0     |
+| EPAS 14 | 14.13.0 | Upgrade to 14.14.0    |
+| EPAS 13 | 13.16.0 | Upgrade to 13.17.0    |
+
+If you are unable to upgrade your EPAS installation, upgrade the installed edb-icu
+
+## Reference
+
+* [CVSS #3.1 Calculator](https://www.first.org/cvss/calculator/3.1) 
+
+## Related Information
+
+* [EnterpriseDB](https://www.enterprisedb.com/)
+* [Postgresql](https://www.postgresql.org/)
+* [EDB Postgres Advanced Server](https://www.enterprisedb.com/products/edb-postgres-advanced-server)
+
+## Change History
+
+14 November 2024: Original Copy Published
+
+## Disclaimer
+
+This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
@@ -6,10 +6,11 @@ iconName: Security
 hideKBLink: true
 hideToC: false
 navigation:
-- cve-2024-7348
-- cve-2024-4317
-- cve-2024-1597
+- cve-2020-10531
 - cve-2024-0985
+- cve-2024-1597
+- cve-2024-4317
+- cve-2024-7348
 ---
 
 The CVEs listed in this section are from PostgreSQL and other parties who have reported them and that may have an impact on EDB products.
@@ -28,37 +29,37 @@ The CVEs listed in this section are from PostgreSQL and other parties who have r
 
 
 <tr><td>
-<details><summary><h3 style="display:inline"> CVE-2024-7348 </h3>
+<details><summary><h3 style="display:inline"> CVE-2020-10531 </h3>
 <span>
-&nbsp;&nbsp;<a href="cve-2024-7348">Read Assessment</a>
-&nbsp;&nbsp;Updated: </span><span>2024/08/15</span>
-<h4>PostgreSQL relation replacement during pg_dump executes arbitrary SQL</h4>
-<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.4, 15.8, and 14.13</h5>
+&nbsp;&nbsp;<a href="cve-2020-10531">Read Assessment</a>
+&nbsp;&nbsp;Updated: </span><span>2024/11/14</span>
+<h4>Integer overflow in ICU doAppend()</h4>
+<h5> All versions of EDB Postgres Advanced Server from 13 through 16</h5>
 </summary>
 <hr/>
 <em>Summary:</em>&nbsp;
-Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
+The original vulnerability was an integer overflow leading to a heap-based buffer overflow in <code>UnicodeString::doAppend()</code> in ICU (International Components for Unicode) for C/C++ which existed up to (and including) version 66.1.
 <br/>
-<a href="cve-2024-7348">Read More...</a>
+<a href="cve-2020-10531">Read More...</a>
 </details></td></tr>
 
 
 
 
 
 <tr><td>
-<details><summary><h3 style="display:inline"> CVE-2024-4317 </h3>
+<details><summary><h3 style="display:inline"> CVE-2024-0985 </h3>
 <span>
-&nbsp;&nbsp;<a href="cve-2024-4317">Read Assessment</a>
-&nbsp;&nbsp;Updated: </span><span>2024/05/09</span>
-<h4>Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner</h4>
-<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.3, 15.7, and 14.12</h5>
+&nbsp;&nbsp;<a href="cve-2024-0985">Read Assessment</a>
+&nbsp;&nbsp;Updated: </span><span>2024/02/26</span>
+<h4>PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL</h4>
+<h5> PostgreSQL, EPAS all versions prior to 15.6.0,14.11.0,13.14.20 and 12.18.23, PGE all versions prior to 15.6.0</h5>
 </summary>
 <hr/>
 <em>Summary:</em>&nbsp;
-Missing authorization in PostgreSQL built-in views <code>pg_stats_ext</code> and <code>pg_stats_ext_exprs</code> allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
+Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
 <br/>
-<a href="cve-2024-4317">Read More...</a>
+<a href="cve-2024-0985">Read More...</a>
 </details></td></tr>
 
 
@@ -85,18 +86,37 @@ pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using Prefe
 
 
 <tr><td>
-<details><summary><h3 style="display:inline"> CVE-2024-0985 </h3>
+<details><summary><h3 style="display:inline"> CVE-2024-4317 </h3>
 <span>
-&nbsp;&nbsp;<a href="cve-2024-0985">Read Assessment</a>
-&nbsp;&nbsp;Updated: </span><span>2024/02/26</span>
-<h4>PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL</h4>
-<h5> PostgreSQL, EPAS all versions prior to 15.6.0,14.11.0,13.14.20 and 12.18.23, PGE all versions prior to 15.6.0</h5>
+&nbsp;&nbsp;<a href="cve-2024-4317">Read Assessment</a>
+&nbsp;&nbsp;Updated: </span><span>2024/05/09</span>
+<h4>Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner</h4>
+<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.3, 15.7, and 14.12</h5>
 </summary>
 <hr/>
 <em>Summary:</em>&nbsp;
-Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
+Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
 <br/>
-<a href="cve-2024-0985">Read More...</a>
+<a href="cve-2024-4317">Read More...</a>
+</details></td></tr>
+
+
+
+
+
+<tr><td>
+<details><summary><h3 style="display:inline"> CVE-2024-7348 </h3>
+<span>
+&nbsp;&nbsp;<a href="cve-2024-7348">Read Assessment</a>
+&nbsp;&nbsp;Updated: </span><span>2024/08/15</span>
+<h4>PostgreSQL relation replacement during pg_dump executes arbitrary SQL</h4>
+<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.4, 15.8, and 14.13</h5>
+</summary>
+<hr/>
+<em>Summary:</em>&nbsp;
+Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
+<br/>
+<a href="cve-2024-7348">Read More...</a>
 </details></td></tr>
 
 </table>

@@ -55,34 +55,34 @@ All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior
 
 
 <tr><td>
-<details><summary><h3 style="display:inline"> CVE-2024-7348 </h3>
+<details><summary><h3 style="display:inline"> CVE-2020-10531 </h3>
 <span>
-&nbsp;&nbsp;<a href="assessments/cve-2024-7348">Read Assessment</a>
-&nbsp;&nbsp;Updated: </span><span>2024/08/15</span>
-<h4>PostgreSQL relation replacement during pg_dump executes arbitrary SQL</h4>
-<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.4, 15.8, and 14.13</h5>
+&nbsp;&nbsp;<a href="assessments/cve-2020-10531">Read Assessment</a>
+&nbsp;&nbsp;Updated: </span><span>2024/11/14</span>
+<h4>Integer overflow in ICU doAppend()</h4>
+<h5> All versions of EDB Postgres Advanced Server from 13 through 16</h5>
 </summary>
 <hr/>
 <em>Summary:</em>&nbsp;
-Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
+The original vulnerability was an integer overflow leading to a heap-based buffer overflow in <code>UnicodeString::doAppend()</code> in ICU (International Components for Unicode) for C/C++ which existed up to (and including) version 66.1.
 <br/>
-<a href="assessments/cve-2024-7348">Read More...</a>
+<a href="assessments/cve-2020-10531">Read More...</a>
 </details></td></tr>
 
 
 <tr><td>
-<details><summary><h3 style="display:inline"> CVE-2024-4317 </h3>
+<details><summary><h3 style="display:inline"> CVE-2024-0985 </h3>
 <span>
-&nbsp;&nbsp;<a href="assessments/cve-2024-4317">Read Assessment</a>
-&nbsp;&nbsp;Updated: </span><span>2024/05/09</span>
-<h4>Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner</h4>
-<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.3, 15.7, and 14.12</h5>
+&nbsp;&nbsp;<a href="assessments/cve-2024-0985">Read Assessment</a>
+&nbsp;&nbsp;Updated: </span><span>2024/02/26</span>
+<h4>PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL</h4>
+<h5> PostgreSQL, EPAS all versions prior to 15.6.0,14.11.0,13.14.20 and 12.18.23, PGE all versions prior to 15.6.0</h5>
 </summary>
 <hr/>
 <em>Summary:</em>&nbsp;
-Missing authorization in PostgreSQL built-in views <code>pg_stats_ext</code> and <code>pg_stats_ext_exprs</code> allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
+Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
 <br/>
-<a href="assessments/cve-2024-4317">Read More...</a>
+<a href="assessments/cve-2024-0985">Read More...</a>
 </details></td></tr>
 
 
@@ -103,18 +103,34 @@ pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using Prefe
 
 
 <tr><td>
-<details><summary><h3 style="display:inline"> CVE-2024-0985 </h3>
+<details><summary><h3 style="display:inline"> CVE-2024-4317 </h3>
 <span>
-&nbsp;&nbsp;<a href="assessments/cve-2024-0985">Read Assessment</a>
-&nbsp;&nbsp;Updated: </span><span>2024/02/26</span>
-<h4>PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL</h4>
-<h5> PostgreSQL, EPAS all versions prior to 15.6.0,14.11.0,13.14.20 and 12.18.23, PGE all versions prior to 15.6.0</h5>
+&nbsp;&nbsp;<a href="assessments/cve-2024-4317">Read Assessment</a>
+&nbsp;&nbsp;Updated: </span><span>2024/05/09</span>
+<h4>Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner</h4>
+<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.3, 15.7, and 14.12</h5>
 </summary>
 <hr/>
 <em>Summary:</em>&nbsp;
-Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
+Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
 <br/>
-<a href="assessments/cve-2024-0985">Read More...</a>
+<a href="assessments/cve-2024-4317">Read More...</a>
+</details></td></tr>
+
+
+<tr><td>
+<details><summary><h3 style="display:inline"> CVE-2024-7348 </h3>
+<span>
+&nbsp;&nbsp;<a href="assessments/cve-2024-7348">Read Assessment</a>
+&nbsp;&nbsp;Updated: </span><span>2024/08/15</span>
+<h4>PostgreSQL relation replacement during pg_dump executes arbitrary SQL</h4>
+<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.4, 15.8, and 14.13</h5>
+</summary>
+<hr/>
+<em>Summary:</em>&nbsp;
+Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
+<br/>
+<a href="assessments/cve-2024-7348">Read More...</a>
 </details></td></tr>
 
 </table>