Pgpool-II is a tool to add useful features to PostgreSQL, including
connection pooling, load balancing, automatic fail over and more.
PgPool Global Development Group has released a Security Update of pgpoolAdmin.
The purpose of this release is to address CVE-2018-16203, which
allow an attacker to login without properly checking the authorization.
Once getting into pgpoolAdmin, the attacker can control Pgpool-II.
Also it may be possible to obtain the superuser role of a PostgreSQL database.
This vulnability affects all versions of pgpoolAdmin. We recommend
upgrade pgpoolAdmin to 4.0.1 immediately (remember that pgpoolAdmin
4.0.1 is compatible with Pgpool-II 3.4 or later).
PgPool Global Development Group would like to thank Fotios Rogkotis
of DarkMatter for finding the security issue and giving us the
detailed studies on it.
You can download the source code and RPMs from:
http://pgpool.net/mediawiki/index.php/Downloads
--
Bo Peng <pengbo@sraoss.co.jp>
SRA OSS, Inc. Japan