CVE-2021-23214
📋 TL;DR
CVE-2021-23214 is a SQL injection vulnerability in PostgreSQL that allows man-in-the-middle attackers to inject arbitrary SQL queries during initial connection establishment, even when SSL certificate verification is enabled. This affects PostgreSQL servers configured with trust authentication requiring client certificates or using certificate authentication. The vulnerability bypasses SSL protections to execute unauthorized SQL commands.
💻 Affected Systems
- PostgreSQL
📦 What is this software?
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Fedora by Fedoraproject
Fedora by Fedoraproject
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
⚠️ Risk & Real-World Impact
Worst Case
Full database compromise including data theft, modification, deletion, or complete system takeover through privilege escalation.
Likely Case
Unauthorized data access, data manipulation, or privilege escalation leading to sensitive information disclosure.
If Mitigated
Limited impact with proper network segmentation, certificate pinning, and additional authentication layers.
🎯 Exploit Status
Exploitation requires man-in-the-middle position during connection establishment. Proof-of-concept exists in public advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PostgreSQL 13.4, 12.8, 11.13, 10.18, 9.6.23
Vendor Advisory: https://www.postgresql.org/support/security/CVE-2021-23214/
Restart Required: Yes
Instructions:
1. Backup database. 2. Stop PostgreSQL service. 3. Upgrade to patched version. 4. Restart PostgreSQL service. 5. Verify connection functionality.
🔧 Temporary Workarounds
Disable vulnerable authentication methods
allChange authentication method from 'cert' or 'trust' with clientcert requirement to other methods like scram-sha-256 or md5
Edit pg_hba.conf to replace 'cert' or 'trust' lines with 'scram-sha-256' or 'md5'
Implement certificate pinning
allUse certificate pinning at application layer to prevent MITM attacks
🧯 If You Can't Patch
- Implement strict network controls to prevent MITM attacks (VPNs, dedicated networks, certificate pinning)
- Add additional authentication layers beyond SSL certificates
🔍 How to Verify
Check if Vulnerable:
Check PostgreSQL version with 'SELECT version();' and verify if using cert authentication or trust with clientcert in pg_hba.confCheck Version:
SELECT version();Verify Fix Applied:
Confirm PostgreSQL version is 13.4, 12.8, 11.13, 10.18, 9.6.23 or later with 'SELECT version();'📡 Detection & Monitoring
Log Indicators:
- Unexpected SQL queries during connection establishment
- Authentication failures followed by successful connections
- Unusual connection patterns from same IP
Network Indicators:
- MITM activity on PostgreSQL port 5432
- SSL certificate validation failures
- Unusual packet injection during handshake
SIEM Query:
source="postgresql.log" AND ("cert" OR "trust") AND "authentication" AND "failed"🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=2022666
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=28e24125541545483093819efae9bca603441951
- https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951
- https://security.gentoo.org/glsa/202211-04
- https://www.postgresql.org/support/security/CVE-2021-23214/
- https://bugzilla.redhat.com/show_bug.cgi?id=2022666
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=28e24125541545483093819efae9bca603441951
- https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951
- https://security.gentoo.org/glsa/202211-04
- https://www.postgresql.org/support/security/CVE-2021-23214/
