Tenable Report Issue even after upgrading to correct Postgres version
To Whom It May Concern:
We were informed by a customer using Tenable reports that we needed to upgrade Postgres from 12.2 to 12.7 due to vulnerability issues. We have since upgraded to the requested version of Postgres (12.7) but the Tenable report scans still show that the version is 12.2. After reaching out the Tenable, we found that the version information is not updated in the system registry where Tenable is pulling the information from. Is there any resolution for this?
Below is the registry information:
[cid:image001.jpg@01D7D6E9.CB4D3E00]
And below this is proof that we upgraded the Postgres version:
[cid:image002.png@01D7D6E9.CB4D3E00]
Thanks,
Kishore Isaac
[cid:image003.png@01D7D6E9.CB4D3E00]
Phone 301 477 7048
Web www.loccioni.com
________________________________________
PRIVACY
According to International Privacy Laws the information contained in this message is confidential and of exclusive use of the addressee(s). Should you receive this message by mistake, please delete it and send a written communication to privacy@loccioni.com
Please consider the environment before printing this email
On Thu, Nov 11, 2021 at 03:49:29PM +0000, Kishore Isaac wrote:
To Whom It May Concern:
We were informed by a customer using Tenable reports that we needed to upgrade
Postgres from 12.2 to 12.7 due to vulnerability issues. We have since upgraded
to the requested version of Postgres (12.7) but the Tenable report scans still
show that the version is 12.2. After reaching out the Tenable, we found that
the version information is not updated in the system registry where Tenable is
pulling the information from. Is there any resolution for this?Below is the registry information:
Uh, I have no idea what Tenable is, which I think means we don't control
that way of distributing Postgres.
--
Bruce Momjian <bruce@momjian.us> https://momjian.us
EDB https://enterprisedb.com
If only the physical world exists, free will is an illusion.
On Thursday, November 11, 2021, Bruce Momjian <bruce@momjian.us> wrote:
On Thu, Nov 11, 2021 at 03:49:29PM +0000, Kishore Isaac wrote:
We were informed by a customer using Tenable reports that we needed to
upgrade
Postgres from 12.2 to 12.7 due to vulnerability issues. We have since
upgraded
to the requested version of Postgres (12.7) but the Tenable report scans
still
show that the version is 12.2. After reaching out the Tenable, we found
that
the version information is not updated in the system registry where
Tenable is
pulling the information from. Is there any resolution for this?
Below is the registry information:
Uh, I have no idea what Tenable is, which I think means we don't control
that way of distributing Postgres.
IIUC Tenable is just a system scanner. Apparently whomever built the
Windows installer/upgrade binary for this customer (likely EDB) puts
version info, during initial install, into the Window’s Registry but
doesn’t update that information upon performing a minor release patch.
This seems like a bug, though not of the core project but the distributor.
David J.
Hi,
I installed v12.2-4 on my Windows VM, launched StackBuilder and upgraded to
version v12.9-1 (the latest stable release) and the registry entry was
updated. I've attached the screenshots.
If the installation log is provided, we may know if the upgrade was really
successful.
On Thu, Nov 11, 2021 at 11:24 PM David G. Johnston <
david.g.johnston@gmail.com> wrote:
On Thursday, November 11, 2021, Bruce Momjian <bruce@momjian.us> wrote:
On Thu, Nov 11, 2021 at 03:49:29PM +0000, Kishore Isaac wrote:
We were informed by a customer using Tenable reports that we needed to
upgrade
Postgres from 12.2 to 12.7 due to vulnerability issues. We have since
upgraded
to the requested version of Postgres (12.7) but the Tenable report
scans still
show that the version is 12.2. After reaching out the Tenable, we found
that
the version information is not updated in the system registry where
Tenable is
pulling the information from. Is there any resolution for this?
Below is the registry information:
Uh, I have no idea what Tenable is, which I think means we don't control
that way of distributing Postgres.IIUC Tenable is just a system scanner. Apparently whomever built the
Windows installer/upgrade binary for this customer (likely EDB) puts
version info, during initial install, into the Window’s Registry but
doesn’t update that information upon performing a minor release patch.
This seems like a bug, though not of the core project but the distributor.David J.
--
Sandeep Thakkar
On Mon, Nov 15, 2021 at 10:05 AM Sandeep Thakkar <
sandeep.thakkar@enterprisedb.com> wrote:
Hi,
I installed v12.2-4 on my Windows VM, launched StackBuilder and upgraded
to version v12.9-1 (the latest stable release) and the registry entry was
updated. I've attached the screenshots.
Please also note that Tenable should really *not* be checking what version
is installed in this way, as that info is intended for the installer (and
pgAdmin, and other similar apps) for internal use and non-security related
service discovery. It is easily possible for a user to update parts of the
PostgreSQL installation without changing that registry value, e.g. by
unpacking the zipped binary distribution over an existing installation.
Any security scanner worth it's salt should be examining the VERSIONINFO
resource in postgres.exe to see what is actually installed (or connecting
to the database server and asking it, but that might be harder).
--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake
Hi Dave,
Thanks for your response, is it possible to include the screenshots Sandeep sent?
Appreciate your help,
Kishore Isaac
[cid:image001.png@01D7DA39.CB7236D0]
Phone 301 477 7048
Web www.loccioni.com
________________________________________
PRIVACY
According to International Privacy Laws the information contained in this message is confidential and of exclusive use of the addressee(s). Should you receive this message by mistake, please delete it and send a written communication to privacy@loccioni.com
Please consider the environment before printing this email
From: Dave Page <dpage@pgadmin.org>
Sent: Monday, November 15, 2021 5:13 AM
To: Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>
Cc: David G. Johnston <david.g.johnston@gmail.com>; Bruce Momjian <bruce@momjian.us>; Kishore Isaac <k.isaac@loccioni.com>; pgsql-bugs@lists.postgresql.org
Subject: Re: Tenable Report Issue even after upgrading to correct Postgres version
On Mon, Nov 15, 2021 at 10:05 AM Sandeep Thakkar <sandeep.thakkar@enterprisedb.com<mailto:sandeep.thakkar@enterprisedb.com>> wrote:
Hi,
I installed v12.2-4 on my Windows VM, launched StackBuilder and upgraded to version v12.9-1 (the latest stable release) and the registry entry was updated. I've attached the screenshots.
Please also note that Tenable should really *not* be checking what version is installed in this way, as that info is intended for the installer (and pgAdmin, and other similar apps) for internal use and non-security related service discovery. It is easily possible for a user to update parts of the PostgreSQL installation without changing that registry value, e.g. by unpacking the zipped binary distribution over an existing installation.
Any security scanner worth it's salt should be examining the VERSIONINFO resource in postgres.exe to see what is actually installed (or connecting to the database server and asking it, but that might be harder).
--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake
Attachments:
Hi
On Mon, Nov 15, 2021 at 8:59 PM Kishore Isaac <k.isaac@loccioni.com> wrote:
Hi Dave,
Thanks for your response, is it possible to include the screenshots
Sandeep sent?
Include them in what? They're already on his email and in the mailing list
archives. I don't understand what you're asking for.
Appreciate your help,
*Kishore Isaac*
Phone 301 477 7048
Web www.loccioni.com
________________________________________
PRIVACY
According to International Privacy Laws the information contained in this
message is confidential and of exclusive use of the addressee(s). Should
you receive this message by mistake, please delete it and send a written
communication to privacy@loccioni.comPlease consider the environment before printing this email
*From:* Dave Page <dpage@pgadmin.org>
*Sent:* Monday, November 15, 2021 5:13 AM
*To:* Sandeep Thakkar <sandeep.thakkar@enterprisedb.com>
*Cc:* David G. Johnston <david.g.johnston@gmail.com>; Bruce Momjian <
bruce@momjian.us>; Kishore Isaac <k.isaac@loccioni.com>;
pgsql-bugs@lists.postgresql.org
*Subject:* Re: Tenable Report Issue even after upgrading to correct
Postgres versionOn Mon, Nov 15, 2021 at 10:05 AM Sandeep Thakkar <
sandeep.thakkar@enterprisedb.com> wrote:Hi,
I installed v12.2-4 on my Windows VM, launched StackBuilder and upgraded
to version v12.9-1 (the latest stable release) and the registry entry was
updated. I've attached the screenshots.Please also note that Tenable should really *not* be checking what version
is installed in this way, as that info is intended for the installer (and
pgAdmin, and other similar apps) for internal use and non-security related
service discovery. It is easily possible for a user to update parts of the
PostgreSQL installation without changing that registry value, e.g. by
unpacking the zipped binary distribution over an existing installation.Any security scanner worth it's salt should be examining the VERSIONINFO
resource in postgres.exe to see what is actually installed (or connecting
to the database server and asking it, but that might be harder).--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake
--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake