Check: CD12-00-012900
Crunchy Data PostgreSQL STIG:
CD12-00-012900
(in version v2 r2)
Title
PostgreSQL products must be a version supported by the vendor. (Cat I impact)
Discussion
Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.
Check Content
If new packages are available for PostgreSQL, they can be reviewed in the package manager appropriate for the server operating system: To list the version of installed PostgreSQL using psql: $ sudo su - postgres $ psql --version To list the current version of software for RPM: $ rpm -qa | grep postgres To list the current version of software for APT: $ apt-cache policy postgres All versions of PostgreSQL will be listed here: http://www.postgresql.org/support/versioning/ All security-relevant software updates for PostgreSQL will be listed here: http://www.postgresql.org/support/security/ If PostgreSQL is not at the latest version, this is a finding.
Fix Text
Remove or decommission all unsupported software products. Upgrade unsupported DBMS or unsupported components to a supported version of the product.
Additional Identifiers
Rule ID: SV-259740r944425_rule
Vulnerability ID: V-259740
Group Title: SRG-APP-000456-DB-000400
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-003376 |
The organization replaces information system components when support for the components is no longer available from the developer, vendor, or manufacturer. |
Controls
Number | Title |
---|---|
SA-22 |
Unsupported System Components |