A serious PostgreSQL security fix [LWN.net]

A serious PostgreSQL security fix

Posted Apr 4, 2013 15:34 UTC (Thu) by dskoll (subscriber, #1630) [Link]

Yes, the This is as true... sentence was gratuitous.

Overall, though, I think the Pg team handled this pretty well. It's a bone-headedly stupid bug, but sh*t happens even to the best of us. Now I realize the Pg developers are only human rather than super-human. :)

Can you tell I really like PostgreSQL?

A serious PostgreSQL security fix

Posted Apr 4, 2013 15:47 UTC (Thu) by ortalo (subscriber, #4654) [Link]

I do like PostgreSQL (a lot) too. However, such a recommendation more or less means: do not trust RDBMS implementations for security in their database software.
(Not even mentioning database applications security - usually not even relying on database-level user ids.)
Well, if your data does not deserve security, does it really deserve a RDMBS? I'd rather the Pg team *simply* acknowledge that they are sometimes doing mistakes and handling them responsibly (as they did). That makes them more trustable and differentiates them a lot from other RDBMS implementations (esp. proprietary ones).
On the contratry such comments do not make them more trustable in the eye of actual security conscious users. IMHO, database administrators should first find what is good for the host system security by themselves - not following random advice from the Internet (even if coming from the RDBMS developpers themselves).

A serious PostgreSQL security fix

Posted Apr 4, 2013 15:52 UTC (Thu) by dskoll (subscriber, #1630) [Link]

However, such a recommendation more or less means: do not trust RDBMS implementations for security in their database software.

I don't read it that way. Rather, I interpret it as: "Defense in depth is a good idea."

A serious PostgreSQL security fix

Posted Apr 4, 2013 18:20 UTC (Thu) by alogghe (subscriber, #6661) [Link]

Agreed. Restricting connections to a specific network is DBA 101.

You are just bad if you aren't doing that already.

Restricting RDBMS network access

Posted Apr 5, 2013 12:05 UTC (Fri) by tialaramex (subscriber, #21167) [Link]

Sadly it's made harder than it really needs to be. For example, we have a bunch of MySQL servers that are actually only used by Java processes running on the same machines. There's no need for these MySQL servers to be accessible over the network at all and we could disable that altogether. Except it seems the Java MySQL connector doesn't _do_ Unix sockets, so they have to talk TCP/IP anyway and we're obliged to explicitly firewall the machines off to get where we ought to be from a security POV.

I see that MySQL's TLS/SSL functionality default to "disabled" too. So out of the box you're going to be tempted to do unencrypted, unauthenticated TCP/IP query sessions over the Internet.

Restricting RDBMS network access

Posted Apr 5, 2013 12:14 UTC (Fri) by dskoll (subscriber, #1630) [Link]

Except it seems the Java MySQL connector doesn't _do_ Unix sockets, so they have to talk TCP/IP anyway

On Debian at any rate, PostgreSQL listens on a TCP socket, but it's bound to 127.0.0.1 by default. Why can't MySQL do the same thing?

Restricting RDBMS network access

Posted Apr 5, 2013 12:48 UTC (Fri) by anselm (subscriber, #2796) [Link]

MySQL can do this in principle, but it's not completely trivial. You need to specify the host by IP address (127.0.0.1); if you just put »localhost« the client library will go for the Unix-domain socket even though it looks as if it is using TCP/IP.

The other problem is that the MySQL server will listen to either all of its host's IP addresses or else one single IP address. This means that if you configure it to listen on 127.0.0.1 you don't get to specify another address, e.g., of an internal »bridged« network for virtual machines. This is admittedly a minor inconvenience but still a hassle to work around.

Restricting RDBMS network access

Posted Apr 5, 2013 17:59 UTC (Fri) by dskoll (subscriber, #1630) [Link]

You need to specify the host by IP address (127.0.0.1); if you just put »localhost« the client library will go for the Unix-domain socket even though it looks as if it is using TCP/IP

Not the Java library, surely, which only does TCP sockets?

The other problem is that the MySQL server will listen to either all of its host's IP addresses or else one single IP address.

Well yes, that is a defect. But if MySQL already supports listening on two sockets (TCP and UNIX-domain) I can't imagine it would be that hard to modify it to support a list of bind addresses.

Restricting RDBMS network access

Posted Apr 5, 2013 17:05 UTC (Fri) by butlerm (subscriber, #13312) [Link]

> Except it seems the Java MySQL connector doesn't _do_ Unix sockets, so they have to talk TCP/IP anyway

That really isn't MySQL's fault. Java doesn't support Unix sockets, and they don't want to, on portability grounds. Several years back they removed support for reading environment variables for the same reason. It is a least common denominator thing.

Restricting connections? Always :-).

Posted Apr 7, 2013 9:40 UTC (Sun) by walex (subscriber, #69836) [Link]

«Restricting connections to a specific network is DBA 101.»

That's one of the most universally true statements ever:

* Restricting connections to HTTP server port 80 and port 443 to a specific network is webadmin 101.

* Restricting connections to DNS server port 53 to a specific network is hostmaster 101.

And so on! Let's call this Mordac's Rule.

Not allowing the end users to access a DBMS at all, or only indirectly via a front-end application or web UI can be supported by the following arguments:

* Not providing a service is an excellent security idea. The disconnected computer is more "secure", and the powered off one is even more "secure".

* Providing a service via a front-end is much more "secure" than providing it via the base tool itself: because experience shows dramatically how much more "secure" PHP/... based application or web UI front-ends are than their DBMS back-ends.

* Regardless of the above points, insisting that all DBMS instance access be via front-ends and then only allowing those front-ends to connect to DBMS instances means delegating accountability for security issues to the front-end owners, and can be a career-security enhancing measure too for the DBMS owners, not merely enhancing overall system security by protecting a weak DBMS with a strong front-end.

:-) :-) :-)

A serious PostgreSQL security fix

Posted Apr 5, 2013 13:24 UTC (Fri) by FranTaylor (guest, #80190) [Link]

How do you interpret the "more true" part other than "they are even worse than we are"?

A serious PostgreSQL security fix

Posted Apr 5, 2013 16:36 UTC (Fri) by drag (subscriber, #31333) [Link]

> I do like PostgreSQL (a lot) too. However, such a recommendation more or less means: do not trust RDBMS implementations for security in their database software.

Given the history of RDBMS software security I think this is a very accurate statement.

A serious PostgreSQL security fix

Posted Apr 5, 2013 16:48 UTC (Fri) by andresfreund (subscriber, #69562) [Link]

There, I corrected it for you:
> Given the history of software security I think this is a very accurate statement.

;)

A serious PostgreSQL security fix

Posted Apr 4, 2013 15:49 UTC (Thu) by cesarb (subscriber, #6266) [Link]

I read that more as warning users of other database systems to not get complacent just because they were not hit this time. For instance, another database system had a bug where authentication could be bypassed with a few hundred attempts under certain conditions; a third database system had a hardcoded login and password which was only discovered after it had been open sourced; and so on. Not allowing connections from untrusted systems to the database port makes it harder to exploit bugs like these.

A serious PostgreSQL security fix

Posted Apr 4, 2013 15:57 UTC (Thu) by cesarb (subscriber, #6266) [Link]

And how could I have forgotten this one? Yet another database system had a bug which was used to create a fast-propagating worm, which crashed parts of the Internet simply due to propagating too fast.

A serious PostgreSQL security fix

Posted Apr 4, 2013 22:46 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

> Yet another database system had a bug which was used to create a fast-propagating worm, which crashed parts of the Internet simply due to propagating too fast.

This one is especially important to note because this result indicated that many people DO have their databases directly accessible from the Internet.

This means that the comment earlier

> Agreed. Restricting connections to a specific network is DBA 101.
>
> You are just bad if you aren't doing that already.

misses the point.

It may be DBA 101, but so many people are doing it wrong that a DB exploit was able to crash parts of the Internet

A serious PostgreSQL security fix

Posted Apr 7, 2013 5:31 UTC (Sun) by gdt (subscriber, #6284) [Link]

And yet Postgres could have used TLS with client and server certificates. Which would have avoided this attack, even for Internet-visible ports. So it really is throwing stones in a glass house.

A serious PostgreSQL security fix

Posted Apr 7, 2013 9:32 UTC (Sun) by cortana (subscriber, #24596) [Link]

It doesn't?

A serious PostgreSQL security fix

Posted Apr 7, 2013 12:53 UTC (Sun) by gdt (subscriber, #6284) [Link]

I didn't mean "support" so much as "requires". My apologies for not expressing my thought more clearly.

A serious PostgreSQL security fix

Posted Apr 7, 2013 13:59 UTC (Sun) by cesarb (subscriber, #6266) [Link]

AFAIK, the authentication is per-database, which means it has to read the database name from the client before authenticating, even if you are using certificates.

The bug in question involved the client sending an invalid database name.

Oops.

A serious PostgreSQL security fix

Posted Apr 7, 2013 22:40 UTC (Sun) by hummassa (subscriber, #307) [Link]

IIRC correctly my SSL/TLS, the authentication (and the start of encrypting the whole session) comes before anything else. I suppose when the client asks for connection to a database, he is already autheticated via his cert (and the dbms can check if he can effectively connect to *that* particular db).

A serious PostgreSQL security fix

Posted Apr 7, 2013 23:31 UTC (Sun) by dlang (✭ supporter ✭, #313) [Link]

SSL/TLS authentication has a very high overhead. Postgresql supports SSL/TLS authentication, but it also supports many other types of authentication so that you can choose what one is the best fit for your needs.

A serious PostgreSQL security fix

Posted Apr 4, 2013 20:32 UTC (Thu) by geofft (subscriber, #59789) [Link]

Sorry, I don't read that as a pot shot -- it's just a clarification on standard expectations for the severity of a security flaw. Otherwise the complaint would be "PRETTY CLASSY, not owning up to a design flaw in Postgres."

A serious PostgreSQL security fix

Posted Apr 4, 2013 22:41 UTC (Thu) by price (subscriber, #59790) [Link]

The "good general rule" comment is the clarification you describe.

Saying other unnamed database systems are worse -- in that they may have more of exactly the kind of flaw the PostgreSQL developers had here -- is unhelpful and makes them sound childish and defensive. Red Hat doesn't warn about Windows security in an RHSA.

A serious PostgreSQL security fix

Posted Apr 5, 2013 8:18 UTC (Fri) by mbanck (subscriber, #9035) [Link]

That comment was taken from the FAQ corresponding to the security alert, not the alert itself.