Patch time for PostgreSQL The maintainers of the PostgreSQL database have released an urgent patch to cope with a vulnerability that allows remote users to crash servers, while authenticated users can execute arbitrary code. It's time for admins to get busy: the Shodan tool identifies around 170,000 servers that are visible from the Internet, here. As …
The vulnerability is of genuine concern, but the number of publicly accessible PgSQL servers out there is just as worrying.
Why on earth would you need your DB server visible to the Internet? All communication with it should be using an authenticated connection configured in an application running on another server or servers - the application servers themselves are usually not needed to be visible on the Internet, as they'll be behind a load balancer and / or something like Apache HTTPD.
If developers of database software actually cared about security, it would not matter whether you expose Apache or Postgresql.
But we have all been conditioned to expect database servers to have almost no security at all. You have to question whether that Expectation Of Shit is acutally correct.
I should think Denial of Service would affect most servers.
PostgreSql is an enterprise ready DB server. It has High Availability and Scalability features.
Products from established vendors - Oracle, IBM and Microsoft may be easier to use but cost a lot more.
Good Business Applications are written in such a way that they can run on all four database servers.
Companies are free to chose whether they want to pay for an easier to use application stack.
When I used Oracle 8 more than ten years ago, it could be crashed by simply telneting into the listener port and then randomly hitting the keyboard. Note that I did NOT use the official API, I did not use any userids or passwords. Such was the extremely crappy state of Oracle security. If I had been a blackhat, I would have developed an exploit to own the entire database, there's little doubt about that.
Then MS, I read they had a very similar weakness which was discovered by some minor "fuzzing" of the client-server data stream. You could use that also before you entered a password.
Then MySQL. Just recently a colleague of mine discovered you could crash it by means of setting a trigger on an integer column and then inserting a "too big" value.
To conclude, commercial software typically is a Can Of Worms, security-wise.
I used Postgresql and found it to be quite regular, simple and not at all more complicated than anything else from DB/2 to Mysql. I BET Postgresql is much more secure, as we can inspect the code, while with the commercial vendors you have to trust the pledges of a slimy creature who only cares about extracting your money and diverting it into his pockets.
Elite software users such as Deutsche Börse get rid of Oracle and the other commercialware and are moving all their systems to Linux, Postgres, gcc and the like.
Agreed. Sometimes you don't even need any help... I've seen Oracle Application Server DoS its RDBMS (also Oracle)
PostgreSQL is indeed fine enterprise ready server. And for estabilishments where all software must be purchased so finger pointing ... I mean support is available there is always EnterpriseDB.
Admittedly Oracle won the marketing war, but Sybase Adaptive Server is still very much alive as well and I would class Sybase (even if SAP bought them) as estabilished vendor.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
