CVE-2017-11509: Firebird fbudf Module Authenticated Remote Code Execution – Firebird News
Posted by jpluimers on 2018/05/31
Ouch (despite one needs authenticated access): [WayBack] Firebird fbudf Module Authenticated Remote Code Execution – Firebird News
Here is the description for CVE-2017-11509
An authenticated remote attacker can execute arbitrary code in Firebird SQL
Server versions 2.5.7 and 3.0.2 by executing a malformed SQL statement. The
only known solution is to disable external UDF libraries from being loaded. In
order to achieve this, the default configuration has changed to UdfAccess=None.
This will prevent the fbudf module from being loaded, but may also break other
functionality relying on modules.Here is the Debian security page with the issue : CVE-2017-11509
The thing I am really not happy about is that the 90 day limit has been overdrawn by about 180 days (see https://www.tenable.com/security/research/tra-2017-36)
Related:
- [WayBack] NVD – CVE-2017-11509
- [WayBack] CVE-2017-11509
- [WayBack] [R1] Firebird fbudf Module Authenticated Remote Code Execution – Research Advisory | Tenable™
- [WayBack] Re: Wheezy update of firebird2.5?
Via:
- [WayBack] Here is the description for CVE-2017-11509 An authenticated remote attacker can execute arbitrary code in Firebird SQL Server versions 2.5.7 and 3.0.2 b… – Firebird SQL – Google+
- [WayBack] Here is the description for CVE-2017-11509 An authenticated remote attacker can execute arbitrary code in Firebird SQL Server versions 2.5.7 and 3.0.2 b… – Adrian Marius Popa – Google+
–jeroen
The Wiert Corner - irregular stream of stuff 
Leave a comment