Thread: Information to CVE-2022-42889

Information to CVE-2022-42889

From

Cedric Aaron Towstyka

Date:

08 November 2022, 13:50:18

Hello dear PostgreSQL Server Team,

the german bureau for IT-Security "BSI" (Bundesamt für Sicherheit in der Informationstechnik) has issued a warning for CVE CVE-2022-42889 with the name commons-text. Insurance companies are obliged to analyse the installed software for vulnerabilities of this type.
As the Barmenia is using your product PostgreSQL Server it is necessary to obtain all information regarding any vulnerability against above CVE.

We kindly ask you to provide information if the above product is affected by the CVE and if yes, when a fix will be available.

With the request for short-term feedback.

Kind Regards.

Cedric Aaron Towstyka

Databaseadministrator

Barmenia Krankenversicherung a. G.

Barmenia Allgemeine Versicherungs-AG

Barmenia Lebensversicherung a. G.

Barmenia-Allee 1

42119 Wuppertal

+49 202 438 2964

- facebook.de/barmenia - xing.de/companies/barmenia - twitter.com/barmenia - youtube.de/barmenia

Barmenia Allgemeine Versicherungs-AG
Vorstand: Dr. Andreas Eurich (Vorsitzender) - Frank Lamsfuß - Ulrich Lamy - Carola Schroeder
Aufsichtsrats-Vorsitzender: Dr. h. c. Josef Beutelmann; Rechtsform des Unternehmens: Aktiengesellschaft
Sitz: Wuppertal; Amtsgericht Wuppertal HRB 3033; USt.-Identifikationsnummer: DE 811425914; Versicherungsteuernummer: 810/V90810006337 　

Barmenia Krankenversicherung AG
Vorstand: Dr. Andreas Eurich (Vorsitzender) - Frank Lamsfuß - Ulrich Lamy - Carola Schroeder
Aufsichtsrats-Vorsitzender: Dr. h. c. Josef Beutelmann; Rechtsform des Unternehmens: Aktiengesellschaft
Sitz: Wuppertal; Amtsgericht Wuppertal HRB 28475; USt.-Identifikationsnummer: DE 121102508 　

Barmenia Lebensversicherung a. G.
Vorstand: Dr. Andreas Eurich (Vorsitzender) - Frank Lamsfuß - Ulrich Lamy - Carola Schroeder
Aufsichtsrats-Vorsitzender: Dr. h. c. Josef Beutelmann; Rechtsform des Unternehmens: Versicherungsverein auf Gegenseitigkeit
Sitz: Wuppertal; Amtsgericht Wuppertal HRB 3854; USt.-Identifikationsnummer: DE 121102516

Attachment

barmenia-logo.jpg

Re: Information to CVE-2022-42889

From

Erik Wienhold

Date:

08 November 2022, 14:27:33

> On 08/11/2022 11:50 CET Cedric Aaron Towstyka <cedric-aaron.towstyka@barmenia.de> wrote:
>
> the german bureau for IT-Security "BSI" (Bundesamt für Sicherheit in der
> Informationstechnik) has issued a warning for CVE CVE-2022-42889with the name
> commons-text. Insurance companies are obliged to analyse the installed
> software for vulnerabilities of this type.  As the Barmenia is using your
> product PostgreSQL Server it is necessary to obtain all information regarding
> any vulnerability against above CVE.  We kindly ask you to provide information
> if the above product is affected by the CVE and if yes, when a fix will be
> available.

Postgres does not use Java and should not be affected.  Maybe if you use
PL/Java[1].

This CVE reminds me of Log4j from last year[2].

[1] https://tada.github.io/pljava/
[2] https://www.postgresql.org/message-id/flat/30390f0b07fd4d90b1aacb683ebfae45%40pictet.com

--
Erik

Aw: Information to CVE-2022-42889

From

Karsten Hilbert

Date:

08 November 2022, 14:33:39

> the german bureau for IT-Security "BSI" (Bundesamt für Sicherheit in der Informationstechnik) has issued a warning
forCVE CVE-2022-42889 with the name commons-text. Insurance companies are obliged to analyse the installed software for
vulnerabilitiesof this type. 
As the Barmenia is using your product PostgreSQL Server it is necessary to obtain all information regarding any
vulnerabilityagainst above CVE. 
We kindly ask you to provide information if the above product is affected by the CVE and if yes, when a fix will be
available.
 
> With the request for short-term feedback.

It might be prudent for Barmenia, a large insurance company, to consider
purchasing commercial support rather than requesting short-term feedback
from volunteers.

Other than that there's also excellent documentation and freely
inspectable source code.

Best regards,
Karsten

Re: Information to CVE-2022-42889

From

Imre Samu

Date:

08 November 2022, 17:05:34

> if the above product is affected by the CVE

You will find the "Known PostgreSQL Security Vulnerabilities in Supported Versions"

here: https://www.postgresql.org/support/security/

For the PostgreSQL JDBC Driver:

please check https://jdbc.postgresql.org/security/

or the fixed CVE lists: https://github.com/pgjdbc/pgjdbc/issues?q=CVE+sort%3Aupdated-desc

or https://github.com/pgjdbc/pgjdbc/security/advisories ( Security Advisories )

Based on https://www.docker.com/blog/security-advisory-cve-2022-42889-text4shell/

you have to search for the "commons-text-1.9.jar" ( commons-text-*.* ) in the servers or in the clients ..

The PostgreSQL ecosystem is huge (e.g. a driver, an extension, or an installer) so you have to check any java related software.

Anyway, it's a good time to install the latest patch version of everything.

( Latest PostgreSQL JDBC Driver ;

or Latest Postgres minor version; see: https://www.postgresql.org/support/versioning/ )

The Next minor release is expected on: November 10th, 2022 ( see https://www.postgresql.org/developer/roadmap/ )

"The PostgreSQL Project releases security fixes as part of minor version updates. You are always advised to use the latest minor version available, as it will contain other non-security related fixes."

You will find professional services here: https://www.postgresql.org/support/professional_support/

Regards,

Imre

( Disclaimer: I am just a Postgres user and not a security expert! )

Cedric Aaron Towstyka <Cedric-Aaron.Towstyka@barmenia.de> ezt írta (időpont: 2022. nov. 8., K, 12:10):

Hello dear PostgreSQL Server Team,
the german bureau for IT-Security "BSI" (Bundesamt für Sicherheit in der Informationstechnik) has issued a warning for CVE CVE-2022-42889 with the name commons-text. Insurance companies are obliged to analyse the installed software for vulnerabilities of this type.
As the Barmenia is using your product PostgreSQL Server it is necessary to obtain all information regarding any vulnerability against above CVE.
We kindly ask you to provide information if the above product is affected by the CVE and if yes, when a fix will be available.

With the request for short-term feedback.
Kind Regards.

Cedric Aaron Towstyka
Databaseadministrator

Barmenia Krankenversicherung a. G.
Barmenia Allgemeine Versicherungs-AG
Barmenia Lebensversicherung a. G.
Barmenia-Allee 1
42119 Wuppertal

+49 202 438 2964

- facebook.de/barmenia - xing.de/companies/barmenia - twitter.com/barmenia - youtube.de/barmenia
Barmenia Allgemeine Versicherungs-AG
Vorstand: Dr. Andreas Eurich (Vorsitzender) - Frank Lamsfuß - Ulrich Lamy - Carola Schroeder
Aufsichtsrats-Vorsitzender: Dr. h. c. Josef Beutelmann; Rechtsform des Unternehmens: Aktiengesellschaft
Sitz: Wuppertal; Amtsgericht Wuppertal HRB 3033; USt.-Identifikationsnummer: DE 811425914; Versicherungsteuernummer: 810/V90810006337 　
Barmenia Krankenversicherung AG
Vorstand: Dr. Andreas Eurich (Vorsitzender) - Frank Lamsfuß - Ulrich Lamy - Carola Schroeder
Aufsichtsrats-Vorsitzender: Dr. h. c. Josef Beutelmann; Rechtsform des Unternehmens: Aktiengesellschaft
Sitz: Wuppertal; Amtsgericht Wuppertal HRB 28475; USt.-Identifikationsnummer: DE 121102508 　
Barmenia Lebensversicherung a. G.
Vorstand: Dr. Andreas Eurich (Vorsitzender) - Frank Lamsfuß - Ulrich Lamy - Carola Schroeder
Aufsichtsrats-Vorsitzender: Dr. h. c. Josef Beutelmann; Rechtsform des Unternehmens: Versicherungsverein auf Gegenseitigkeit
Sitz: Wuppertal; Amtsgericht Wuppertal HRB 3854; USt.-Identifikationsnummer: DE 121102516

Attachment

barmenia-logo.jpg