CVE-2024-0985 - PostgreSQL security bypass vulnerability

KikSiops · ‎04-23-2024

Hi ,

A vulnerability has been identified in PostgreSQL for which I have been identified as the owner. Can someone assist us to please determine if this system is vulnerable and complete remediation?

Vulnerability Name:CVE-2024-0985 - PostgreSQL security bypass vulnerability

We would like to ask for assistance on how to remediate this?

Affected servers are our ArcGIS Monitors.

Thanks in advanced 😊

MarceloMarques · ‎04-23-2024

@KikSiops

If it is a PostgreSQL vulnerability, then install the latest PostgreSQL update.

PostgreSQL: CVE-2024-0985: PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbi...

I explain how to patch PostgreSQL in the white papers below.

How to Upgrade the PostgreSQL and PostGIS version for the Enterprise Geodatabase on Windows
How to Upgrade the PostgreSQL and PostGIS version for the Enterprise Geodatabase on Linux

I hope this clarifies.

| Marcelo Marques | Esri Principal Product Engineer | Cloud & Database Administrator | OCP - Oracle Certified Professional | "In 1992, I embarked on my journey with Esri Technology, and since 1997, I have been working with ArcSDE Geodatabases, right from its initial release. Over the past 32 years, my passion for GIS has only grown stronger." | “ I do not fear computers. I fear the lack of them." Isaac Isimov |

DerekLaw · ‎04-25-2024

Hi @KikSiops,

In future, I would ask that you please contact Esri Tech Support directly with possible security vulnerability questions. It is company policy to address these concerns directly with customers to ensure correct and accurate information is communicated. Other reasons: to avoid potential false alarms and to avoid advertising/promoting a potential security issue.

A good resource to be aware of the the ArcGIS Trust Site: https://trust.arcgis.com/en/

Hope this helps,