search cancel

Need Postgres upgrade from 9.6.2 to 9.6.20.

book

Article ID: 215473

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

We ran vulnerability scans and found that we are on a version of Postgres that has vulnerabilities.  

We are on CA APM version 10.7 SP3 and have applied hotfix HF41.  

Is there an update that we can apply to get the Postgres up to 9.6.20?

the findings are below

PostgreSQL 9.5.x < 9.5.24 / 9.6.x < 9.6.20 / 10.x < 10.15 / 11.x < 11.10 / 12.x < 12.5 / 13.x < 13.1 Multiple Vulnerabilities

Plugin Output: 
  Path              : F:\Program Files\CA APM\PostgreSQL-9.6.2
  Installed version : 9.6.2
  Fixed version     : 9.6.20

The version of PostgreSQL installed on the remote host is 9.5 prior to 9.5.24, 9.6 prior to 9.6.20, 10 prior to 10.15, 11 prior to 11.10, 12 prior to 12.5, or 13 prior to 13.1. As such, it is potentially affected by multiple vulnerabilities :
  - Multiple features escape security restricted operation sandbox (CVE-2020-25695)
  - Reconnection can downgrade connection security settings (CVE-2020-25694)
  - psql's gset allows overwriting specially treated variables (CVE-2020-25696) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Cause

It is a "Nessus" scan.

http://www.nessus.org/u?ccdf09f5
https://access.redhat.com/security/cve/CVE-2020-25695
https://access.redhat.com/security/cve/CVE-2020-25694
https://access.redhat.com/security/cve/CVE-2020-25696

Environment

Release : 10.7.0

Component : Integration with APM

Resolution

The fix will added to CA APM 10.7  SP4 - Current ETA July 31st.