CVE-2024-10979
📋 TL;DR
This vulnerability allows unprivileged database users in PostgreSQL to manipulate environment variables through PL/Perl, potentially leading to arbitrary code execution on the database server. It affects PostgreSQL versions before 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Attackers can exploit this without needing operating system-level access to the server.
💻 Affected Systems
- PostgreSQL
📦 What is this software?
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
Postgresql by Postgresql
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution, enabling data theft, lateral movement, or ransomware deployment.
Likely Case
Database compromise leading to data exfiltration, privilege escalation, or persistence mechanisms installation.
If Mitigated
Limited impact if proper network segmentation, least privilege access, and monitoring are implemented.
🎯 Exploit Status
Exploitation requires database user credentials but no special privileges. Public proof-of-concept code exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21
Vendor Advisory: https://www.postgresql.org/support/security/CVE-2024-10979/
Restart Required: Yes
Instructions:
1. Backup your database. 2. Download and install the patched PostgreSQL version from official sources. 3. Restart the PostgreSQL service. 4. Verify the patch is applied.
🔧 Temporary Workarounds
Disable PL/Perl extension
allRemove or restrict access to the PL/Perl procedural language extension.
DROP EXTENSION plperl;
REVOKE USAGE ON LANGUAGE plperl FROM PUBLIC;
Restrict user permissions
allLimit which users can create or execute PL/Perl functions.
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
REVOKE EXECUTE ON ALL FUNCTIONS IN SCHEMA public FROM PUBLIC;
🧯 If You Can't Patch
- Implement strict network access controls to limit PostgreSQL connections to trusted sources only.
- Apply principle of least privilege: ensure database users have minimal necessary permissions and cannot create or execute PL/Perl functions.
🔍 How to Verify
Check if Vulnerable:
Check PostgreSQL version and if PL/Perl is enabled: SELECT version(); SHOW shared_preload_libraries;Check Version:
SELECT version();Verify Fix Applied:
Verify PostgreSQL version is patched: SELECT version(); and confirm it matches or exceeds the fixed versions.📡 Detection & Monitoring
Log Indicators:
- Unusual PL/Perl function creation or execution
- Suspicious environment variable modifications in PostgreSQL logs
- Unexpected process spawns from PostgreSQL
Network Indicators:
- Anomalous database connections from unexpected sources
- Unusual outbound connections from database server
SIEM Query:
source="postgresql" AND (event="CREATE FUNCTION" OR event="EXECUTE FUNCTION") AND function_name ILIKE "%plperl%"