製品・ソフトウェアに関する情報

JVN脆弱性詳細

PostgreSQL における接続をなりすまされる脆弱性

Title	PostgreSQL における接続をなりすまされる脆弱性
Summary	PostgreSQL は、SSL 証明書の認証の際、コモンネームを 32 文字で切り捨てるため、ホスト名がちょうど 32 文字である場合に、接続をなりすまされる脆弱性が存在します。
Possible impacts	第三者により、ホスト名が 32 文字である場合に、接続をなりすまされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Feb. 27, 2012, midnight
Registration Date	July 23, 2012, 11:42 a.m.
Last Update	Nov. 14, 2012, 2:42 p.m.

Affected System

PostgreSQL.org

PostgreSQL 8.4.11 未満の 8.4.x

PostgreSQL 9.0.7 未満の 9.0.x

PostgreSQL 9.1.3 未満の 9.1.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2012-0867	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0867
National Vulnerability Database (NVD)
2	CVE-2012-0867	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0867

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-16	https://jvndb.jvn.jp/ja/cwe/CWE-16.html

ベンダー情報

No	Name	URL
Debian セキュリティ勧告
1	DSA-2418	http://www.debian.org/security/2012/dsa-2418
opensuse-updates
2	openSUSE-SU-2012:1173	http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.html
PostgreSQL NEWS
3	Security Update 2012-02-27 released	http://www.postgresql.org/about/news/1377/
PostgreSQL Release Notes
4	Release 8.4.11	http://www.postgresql.org/docs/8.4/static/release-8-4-11.html
5	Release 9.0.7	http://www.postgresql.org/docs/9.0/static/release-9-0-7.html
6	Release 9.1.3	http://www.postgresql.org/docs/9.1/static/release-9-1-3.html
Red Hat Security Advisory
7	RHSA-2012:0678	http://rhn.redhat.com/errata/RHSA-2012-0678.html
Security Advisories
8	MDVSA-2012:026	http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2012:026

Change Log

No	Changed Details	Date of change
0	[2012年07月23日] 掲載 [2012年11月14日] ベンダ情報：openSUSE (openSUSE-SU-2012:1173) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2012-0867

Summary	PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.
Publication Date	July 19, 2012, 8:55 a.m.
Registration Date	Jan. 28, 2021, 2:54 p.m.
Last Update	Nov. 21, 2024, 10:35 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:o:opensuse_project:opensuse:12.2:::::::*

Configuration4		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:6.0:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.2:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:6.2.z:::::::*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:desktop_workstation:5:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.html	Third Party Advisory
2	http://rhn.redhat.com/errata/RHSA-2012-0678.html	Third Party Advisory
3	http://secunia.com/advisories/49273
4	http://www.debian.org/security/2012/dsa-2418	Third Party Advisory
5	http://www.mandriva.com/security/advisories?name=MDVSA-2012:026	Broken Link
6	http://www.postgresql.org/about/news/1377/	Vendor Advisory
7	http://www.postgresql.org/docs/8.4/static/release-8-4-11.html	Release Notes Vendor Advisory
8	http://www.postgresql.org/docs/9.0/static/release-9-0-7.html	Release Notes Vendor Advisory
9	http://www.postgresql.org/docs/9.1/static/release-9-1-3.html	Release Notes Vendor Advisory
10	http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.html	Third Party Advisory
11	http://www.postgresql.org/docs/9.1/static/release-9-1-3.html	Release Notes Vendor Advisory
12	http://www.postgresql.org/docs/9.0/static/release-9-0-7.html	Release Notes Vendor Advisory
13	http://www.postgresql.org/docs/8.4/static/release-8-4-11.html	Release Notes Vendor Advisory
14	http://www.postgresql.org/about/news/1377/	Vendor Advisory
15	http://www.mandriva.com/security/advisories?name=MDVSA-2012:026	Broken Link
16	http://www.debian.org/security/2012/dsa-2418	Third Party Advisory
17	http://secunia.com/advisories/49273
18	http://rhn.redhat.com/errata/RHSA-2012-0678.html	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html
2	CWE-295	不正な証明書検証	https://cwe.mitre.org/data/definitions/295.html

Configuration5	or higher	or less	more than	less than
cpe:2.3:o:redhat:enterprise_linux_server_aus:6.2:::::::*
cpe:2.3:o:redhat:enterprise_linux_server_eus:6.2.z:::::::*
cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux:5.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:::::::*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:::::::*
cpe:2.3:o:redhat:desktop_workstation:5:::::::*