{
  "threat_severity" : "Moderate",
  "public_date" : "2017-12-07T00:00:00Z",
  "bugzilla" : {
    "description" : "postgresql: Start scripts permit database administrator to modify root-owned files",
    "id" : "1508985",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1508985"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-59",
  "details" : [ "Privilege escalation flaws were found in the Red Hat initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine.", "Privilege escalation flaws were found in the Red Hat initialization scripts of PostgreSQL. An attacker with access to the postgres user account could use these flaws to obtain root access on the server machine." ],
  "statement" : "Red Hat Enterprise Linux 6 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.",
  "acknowledgement" : "This issue was discovered by Pedro Barbosa (Red Hat) and the PostgreSQL project. Upstream acknowledges Antoine Scemama (Brainloop) as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3402",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "postgresql-0:9.2.23-3.el7_4"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3403",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-postgresql94-postgresql-0:9.4.14-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3404",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-postgresql95-postgresql-0:9.5.9-4.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3405",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-postgresql96-postgresql-0:9.6.5-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3403",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-postgresql94-postgresql-0:9.4.14-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3404",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-postgresql95-postgresql-0:9.5.9-4.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3405",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6",
    "package" : "rh-postgresql96-postgresql-0:9.6.5-2.el6"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3403",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-postgresql94-postgresql-0:9.4.14-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3404",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-postgresql95-postgresql-0:9.5.9-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3405",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-postgresql96-postgresql-0:9.6.5-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3403",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-postgresql94-postgresql-0:9.4.14-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3404",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-postgresql95-postgresql-0:9.5.9-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3405",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-postgresql96-postgresql-0:9.6.5-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3403",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-postgresql94-postgresql-0:9.4.14-2.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3404",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-postgresql95-postgresql-0:9.5.9-4.el7"
  }, {
    "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3405",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7",
    "package" : "rh-postgresql96-postgresql-0:9.6.5-2.el7"
  }, {
    "product_name" : "Red Hat Virtualization Engine 4.2",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3404",
    "cpe" : "cpe:/a:redhat:rhev_manager:4.2",
    "package" : "rh-postgresql95-postgresql-0:9.5.9-4.el7"
  }, {
    "product_name" : "Red Hat Virtualization Engine 4.3",
    "release_date" : "2017-12-08T00:00:00Z",
    "advisory" : "RHSA-2017:3404",
    "cpe" : "cpe:/a:redhat:rhev_manager:4.3",
    "package" : "rh-postgresql95-postgresql-0:9.5.9-4.el7"
  } ],
  "package_state" : [ {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Under investigation",
    "package_name" : "rh-postgresql94-postgresql",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5"
  }, {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Under investigation",
    "package_name" : "rh-postgresql95-postgresql",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "postgresql",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "postgresql84",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "postgresql",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Satellite 5",
    "fix_state" : "Under investigation",
    "package_name" : "postgresql92-postgresql",
    "cpe" : "cpe:/a:redhat:network_satellite:5"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-15097\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-15097" ],
  "name" : "CVE-2017-15097",
  "csaw" : false
}