Summary & Key Actions Required

We have completed our analysis of CVE-2024-0985 which we became aware of on February 12th 2024 and currently has a base CVSS score of 8.0 and impacts the all usages of PostgreSQL databases (either as part of the Avantra server installation or monitored by Avantra). We will update this article if any more information becomes available and will highlight if our recommendations or plans change.

The current recommendation is for customers to upgrade affected PostgreSQL databases to versions that are have patched the vulnerability and no update to Avantra software components is required.

Related security articles:

• https://www.postgresql.org/support/security/CVE-2024-0985/
  
• https://nvd.nist.gov/vuln/detail/CVE-2024-0985/
• Avantra Hardening Guide

CVE-2023-49093 Summary

Please see this article for more information:

• https://nvd.nist.gov/vuln/detail/CVE-2024-0985/

Impact to Avantra

We have completed our investigations and analysis around this CVE.

Avantra does not make use of materialised views when dealing with PostgreSQL databases however Avantra does allow users to create custom checks and automations that could make use of these vulnerable features. However, as access to these features is through the Avantra UI and restricted to known, authenticated users, the risk is lower.

Impact on our customers

We recommend customers upgrade PostgreSQL to a supported version that is not vulnerable to this attack during your next patching cycle and maintain security updates to Avantra's underlying PostgreSQL database.

Change Log

We, at Avantra, take the security of our software and our customers very seriously and it is our top priority. We will keep you up to date as more information becomes available and encourage customers to subscribe to the security section of our forum to get proactive updates as we post them.