-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
PostgreSQL Plus Advanced Server DBA Management Server Remote
Authentication Bypass Vulnerability
4 March 2011
AusCERT Security Bulletin Summary
Product: Postgres Plus SQL
Publisher: Zero Day Initiative
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
- --------------------------BEGIN INCLUDED TEXT--------------------
ZDI-11-102: PostgreSQL Plus Advanced Server DBA Management Server Remote
Authentication Bypass Vulnerability
March 2, 2011
- -- CVSS:
- -- Affected Vendors:
- -- Affected Products:
Postgres Plus SQL
- -- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Postgres Plus Advanced Server DBA Management
Server. Authentication is not required to exploit this vulnerability.
The flaw exists within the DBA Management Server component which listens
by default on TCP ports 9000 and 9363. When handling client
authentication the server does not properly enforce restrictions on
accessing the jmx-console or web-console directly. These consoles allow
arbitrary instantiation of classes. A remote attacker can exploit this
vulnerability to execute arbitrary code under the context of the
- -- Vendor Response:
SUBJECT: EnterpriseDB Technical Alert for Postgres Plus Advanced Server
(DBA Management Server - Build 39) #20110209.01
TECHNICAL ALERT STATUS
Critical - this update fixes a potential security threat, a possible
data corruption, calculation, search set, or other function that may
lead to inaccurate results. The update should be applied at the earliest
possible time as it may affect a large number of users.
Recommended - this update fixes non-critical issues that may impede
general usage and require undesirable work-arounds affecting a limited
number of users. The update is recommended to be applied when
Informational - this update is informational only for non-critical
issues. No software update or patch needs to be applied and issues may
be addressed in the field using the specified version currently
WHAT IS IN THIS ALERT
This Technical Alert is notifying you of a software update that
addresses the DBA Management Server module shipped with Postgres Plus
Advanced Server v8.4 (8.4.x.x).
The software update contains the fix for a vulnerability that allows
remote attackers to execute arbitrary code on vulnerable installations
of Postgres Plus Advanced Server v8.4 DBA Management Server. The flaw
existed due to a management feature in JBoss - the application server
used by DBA Management Server. The default JBoss configuration does not
properly enforce restrictions on accessing the jmx-console or
web-console directly, when handling client authentication to the server.
These consoles allow arbitrary instantiation of classes. A remote
attacker can exploit this vulnerability to execute arbitrary code under
the context of the server.
JBoss provides a mechanism to restrict access to these resources, which
has been used to fix this vulnerability.
This update only updates the DBA Management Server files (Build 39). The
core database server engine version remains unchanged.
Discovery of this vulnerability is credited to AbdulAziz Hariri and
TippingPoints Zero Day Initiative.
IS THIS ALERT FOR ME?
This alert is for customers using:
- - Postgres Plus Advanced Server version: 8.4.x.x
- - DBA Management Server
HOW TO GET THE UPDATE AND APPLY IT
This update is available through the Postgres Plus Advanced Server -
StackBuilder Plus Module only.
Please perform the following steps in order to update your DBA
Management Server for Postgres Plus Advanced Server. It is recommended
that you backup your files before performing the upgrade.
1. Right-Click on the System tray icon (PostgreSQL Elephant) and select
Run StackBuilder Plus directly from the Application Menu. The update
will automatically be selected and displayed in bold.
2. Click Next and choose the download directory (where the update will
3. The installation program will start once the download is complete.
HOW TO RESTORE THE ORIGINAL VERSION
In order to restore to the original version, run the PPAS 8.4 SP1
(220.127.116.11) meta-installer and select only the DBA Management Server in
the component selection screen. This will restore the component to
If you experience any problems applying the upgrade or restoring the old
version after applying the upgrade, please contact Technical Support
Phone: +1-732-331-1320 or 1-800-235-5891 (US Only)
Submit a Support ticket at:
- -- Disclosure Timeline:
2011-01-04 - Vulnerability reported to vendor
2011-03-02 - Coordinated public release of advisory
- -- Credit:
This vulnerability was discovered by:
* AbdulAziz Hariri
- -- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
Our vulnerability disclosure policy is available online at:
Follow the ZDI on Twitter:
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----