CVE-2017-7485: PostgreSQL vulnerabilities
Severity
High
Description
It was discovered that the PostgreSQL client library (libpq) did not enforce the use of TLS/SSL for a connection to a PostgreSQL server when the PGREQUIRESSL environment variable was set. An man-in-the-middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.
Affected VMware Products and Versions
Severity is high unless otherwise noted.
- Pivotal Greenplum 4.3.x versions prior to 4.3.14.1
Mitigation
Users of affected versions should apply the following mitigation:
- The Cloud Foundry team recommends upgrading BOSH stemcells and/or other OSS components listed here if applicable.
- Releases that have fixed this issue include:
- Pivotal Greenplum: 4.3.14.1