Impact
A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.
Patches
To resolve a possible MITM attack on SSL connections using the PostgreSQL JDBC driver you are recommended to upgrade the driver to the current release, or at a minimum 42.2.5 or later.
The JDBC driver is commonly found in the Tomcat "lib" directory as it is needed to create a connection to the Flamingo database for both authenticating as well as storing and retrieving configuration data, this file is not part of the Flamingo web applications and should be updated manually.
References
Plees see: CVE-2018-10936
For more information
If you have any questions or comments about this advisory:
Impact
A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.
Patches
To resolve a possible MITM attack on SSL connections using the PostgreSQL JDBC driver you are recommended to upgrade the driver to the current release, or at a minimum 42.2.5 or later.
The JDBC driver is commonly found in the Tomcat "lib" directory as it is needed to create a connection to the Flamingo database for both authenticating as well as storing and retrieving configuration data, this file is not part of the Flamingo web applications and should be updated manually.
References
Plees see: CVE-2018-10936
For more information
If you have any questions or comments about this advisory: