EnterpriseDB · djw-m · Sep 23, 2024 · Sep 23, 2024 · Sep 23, 2024 · Sep 23, 2024
@@ -1,120 +1,46 @@
 ---
-WARNING: THIS IS AN AUTOMATICALLY GENERATED FILE - DO NOT MANUALLY EDIT - SEE tools/automation/generators/advisoryindex
-title: EDB Security
-navTitle: EDB Security
+title: EDB Security Hub
+navTitle: Security
 directoryDefaults:
   iconName: Security
-  indexCards: none
+  indexCards: full
   hideKBLink: true
+deepToC: true
 navigation:
-  - vulnerability-disclosure-policy
-  - advisories
-  - assessments
+- '#Guides'
+- securing-postgresql
+- securing-epas
+- securing-pgd
+- '#Resources'
+- notifications
 ---
 
-EDB is committed to a security first approach, from the products we build and the platforms we operate, to the services we provide our customers. Transparency is a core principle for the program and part of this effort includes welcoming incoming reports so that we can address concerns surfaced by our customers or security researchers. You’ll also find it in our advisories, which detail issues found and the required fixes or mitigations needed to keep your data and databases safe.
+This is the EDB Security Hub. It's a collection of resources to help you secure your PostgreSQL and EDB Postgres Databases, with everything from practical guides on how to secure your database, to the latest security updates and patches. 
 
-## Policies
+import TrustCenterLogo from './images/trust-center.png'
 
-* <h3><a href="vulnerability-disclosure-policy">EDB Vulnerability Disclosure Policy</a></h3>
-This policy outlines how EnterpriseDB handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EDB.
+<CTA actions={{url: "https://trust.enterprisedb.com", text: "Go to the Trust Center"}}>
 
-## Advisories
+If you are looking for a higher-level overview of EDB's security posture, practices and commitments, you may want to check out the EDB Trust Center
 
-* <h3><a href="advisories/">Full list of advisories issued</a></h3>
+</CTA>
 
-## PostgreSQL CVE Assessments
+## What's in the Security Hub?
 
-* <h3><a href="assessments/">Full list of PostgreSQL CVE advisories assessed by EDB</a></h3>
+### Guides
 
-## Most Recent Advisories
+**[Securing PostgreSQL](securing-postgresql)** - This section provides a comprehensive guide on how to secure your PostgreSQL database. It covers everything from the basics of authentication and authorization, to more advanced topics such as encryption and auditing.
+* [PostgreSQL Security 101]() - The essentials of PostgreSQL security for those new to securing their database.
+* [PostgreSQL Security 201]() - More advanced topics for those looking to take their security to the next level.
+* [PostgreSQL Security 301]() - Your guide to Compliance, certifications, auditing and other higher-level issues.
 
-<table class="table-bordered">
+**[Securing EDB Postgres Advanced Server](securing-epas)** - This section provides a comprehensive guide on how to secure your EDB Postgres Advanced Server database. Building on the PostgreSQL guides, it covers features that are unique to EPAS. It includes a guide on how to secure your data at rest using Transparent Data Encryption (TDE) in EDB Postgres Advanced Server.
 
+**[Securing EDB Postgres Distributed](securing-pgd)** - This section provides a comprehensive guide on how to secure your EDB Postgres Distributed and the needs of a distributed database. Building on the Postgres and EPAS security guides, this section covers the unique security considerations for distributed databases.
 
-<tr><td>
-<details><summary><h3 style="display:inline">CVE-2024-4545 </h3>
-<span>
-&nbsp;&nbsp;<a href="advisories/cve20244545">Read Advisory</a>
-&nbsp;&nbsp;Updated: </span><span>2024/05/09</span>
-<h4>EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr</h4>
-<h5> All versions of EDB Postgres Advanced Server (EPAS) edbldr from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0</h5>
-</summary>
-<hr/>
-<em>Summary:</em>&nbsp;
-All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0 may allow users using <code>edbldr</code> to bypass role permissions from <code>pg_read_server_files</code>. This could allow low privilege users to read files to which they would not otherwise have access.
-<br/>
-<a href="advisories/cve20244545">Read More...</a>
-</details></td></tr>
+### Resources
 
-</table>
+**[Notifications](notifications)** - This is where you'll find reported security vulnerabilities and details on how to address them. This includes flaws which have been fixed in the PostgreSQL community and assessments on how they impact EDB users, as well as any advisories and fixes released by EDB.
 
-## Most Recent Assessments
-
-<table class="table-bordered">
-
-
-<tr><td>
-<details><summary><h3 style="display:inline"> CVE-2024-7348 </h3>
-<span>
-&nbsp;&nbsp;<a href="assessments/cve-2024-7348">Read Assessment</a>
-&nbsp;&nbsp;Updated: </span><span>2024/08/15</span>
-<h4>PostgreSQL relation replacement during pg_dump executes arbitrary SQL</h4>
-<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.4, 15.8, and 14.13</h5>
-</summary>
-<hr/>
-<em>Summary:</em>&nbsp;
-Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
-<br/>
-<a href="assessments/cve-2024-7348">Read More...</a>
-</details></td></tr>
-
-
-<tr><td>
-<details><summary><h3 style="display:inline"> CVE-2024-4317 </h3>
-<span>
-&nbsp;&nbsp;<a href="assessments/cve-2024-4317">Read Assessment</a>
-&nbsp;&nbsp;Updated: </span><span>2024/05/09</span>
-<h4>Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner</h4>
-<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.3, 15.7, and 14.12</h5>
-</summary>
-<hr/>
-<em>Summary:</em>&nbsp;
-Missing authorization in PostgreSQL built-in views <code>pg_stats_ext</code> and <code>pg_stats_ext_exprs</code> allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
-<br/>
-<a href="assessments/cve-2024-4317">Read More...</a>
-</details></td></tr>
-
-
-<tr><td>
-<details><summary><h3 style="display:inline"> CVE-2024-1597 </h3>
-<span>
-&nbsp;&nbsp;<a href="assessments/cve-2024-1597">Read Assessment</a>
-&nbsp;&nbsp;Updated: </span><span>2024/03/08</span>
-<h4>SQL Injection via line comment generation</h4>
-<h5> pgJDBC all versions prior to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 and EDB pgJDBC all versions prior to 42.5.5</h5>
-</summary>
-<hr/>
-<em>Summary:</em>&nbsp;
-pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
-<br/>
-<a href="assessments/cve-2024-1597">Read More...</a>
-</details></td></tr>
-
-
-<tr><td>
-<details><summary><h3 style="display:inline"> CVE-2024-0985 </h3>
-<span>
-&nbsp;&nbsp;<a href="assessments/cve-2024-0985">Read Assessment</a>
-&nbsp;&nbsp;Updated: </span><span>2024/02/26</span>
-<h4>PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL</h4>
-<h5> PostgreSQL, EPAS all versions prior to 15.6.0,14.11.0,13.14.20 and 12.18.23, PGE all versions prior to 15.6.0</h5>
-</summary>
-<hr/>
-<em>Summary:</em>&nbsp;
-Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
-<br/>
-<a href="assessments/cve-2024-0985">Read More...</a>
-</details></td></tr>
+---
 
-</table>
@@ -73,7 +73,7 @@ Updated EDB JDBC Drivers are available in EDB Repos in the form of RPM and DEB n
 
 ## Related information
 
-* [pjdbc team's advisory](https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56)
+* [pjdbc team's advisory](https://github.com/pgjdbc/pgjdbc/security/notifications/advisories/GHSA-24rp-q3w6-vc56)
 * [EnterpriseDB](https://www.enterprisedb.com/)
 * [EDB Blogs link](https://enterprisedb.com/blog/)
 

@@ -0,0 +1,121 @@
+---
+WARNING: THIS IS AN AUTOMATICALLY GENERATED FILE - DO NOT MANUALLY EDIT - SEE tools/automation/generators/advisoryindex
+title: EDB Security Notifications
+navTitle: EDB Notifications
+directoryDefaults:
+  iconName: Security
+  indexCards: none
+  hideKBLink: true
+description: A full listing of all security advisories and assessments issued by EDB. It includes details on how to address them, as well as any advisories and fixes released by EDB.
+navigation:
+  - vulnerability-disclosure-policy
+  - advisories
+  - assessments
+---
+
+EDB is committed to a security first approach, from the products we build and the platforms we operate, to the services we provide our customers. Transparency is a core principle for the program and part of this effort includes welcoming incoming reports so that we can address concerns surfaced by our customers or security researchers. You’ll also find it in our advisories, which detail issues found and the required fixes or mitigations needed to keep your data and databases safe.
+
+## Policies
+
+* <h3><a href="vulnerability-disclosure-policy">EDB Vulnerability Disclosure Policy</a></h3>
+This policy outlines how EnterpriseDB handles disclosures related to suspected vulnerabilities within our products, systems, or services. It also provides guidance for those who wish to perform security research, or may have discovered a potential security vulnerability impacting EDB.
+
+## Advisories
+
+* <h3><a href="advisories/">Full list of advisories issued</a></h3>
+
+## PostgreSQL CVE Assessments
+
+* <h3><a href="assessments/">Full list of PostgreSQL CVE advisories assessed by EDB</a></h3>
+
+## Most Recent Advisories
+
+<table class="table-bordered">
+
+
+<tr><td>
+<details><summary><h3 style="display:inline">CVE-2024-4545 </h3>
+<span>
+&nbsp;&nbsp;<a href="advisories/cve20244545">Read Advisory</a>
+&nbsp;&nbsp;Updated: </span><span>2024/05/09</span>
+<h4>EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr</h4>
+<h5> All versions of EDB Postgres Advanced Server (EPAS) edbldr from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0</h5>
+</summary>
+<hr/>
+<em>Summary:</em>&nbsp;
+All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0 may allow users using <code>edbldr</code> to bypass role permissions from <code>pg_read_server_files</code>. This could allow low privilege users to read files to which they would not otherwise have access.
+<br/>
+<a href="advisories/cve20244545">Read More...</a>
+</details></td></tr>
+
+</table>
+
+## Most Recent Assessments
+
+<table class="table-bordered">
+
+
+<tr><td>
+<details><summary><h3 style="display:inline"> CVE-2024-7348 </h3>
+<span>
+&nbsp;&nbsp;<a href="assessments/cve-2024-7348">Read Assessment</a>
+&nbsp;&nbsp;Updated: </span><span>2024/08/15</span>
+<h4>PostgreSQL relation replacement during pg_dump executes arbitrary SQL</h4>
+<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.4, 15.8, and 14.13</h5>
+</summary>
+<hr/>
+<em>Summary:</em>&nbsp;
+Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
+<br/>
+<a href="assessments/cve-2024-7348">Read More...</a>
+</details></td></tr>
+
+
+<tr><td>
+<details><summary><h3 style="display:inline"> CVE-2024-4317 </h3>
+<span>
+&nbsp;&nbsp;<a href="assessments/cve-2024-4317">Read Assessment</a>
+&nbsp;&nbsp;Updated: </span><span>2024/05/09</span>
+<h4>Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner</h4>
+<h5> All versions of PostgreSQL, EPAS and PGE prior to 16.3, 15.7, and 14.12</h5>
+</summary>
+<hr/>
+<em>Summary:</em>&nbsp;
+Missing authorization in PostgreSQL built-in views <code>pg_stats_ext</code> and <code>pg_stats_ext_exprs</code> allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
+<br/>
+<a href="assessments/cve-2024-4317">Read More...</a>
+</details></td></tr>
+
+
+<tr><td>
+<details><summary><h3 style="display:inline"> CVE-2024-1597 </h3>
+<span>
+&nbsp;&nbsp;<a href="assessments/cve-2024-1597">Read Assessment</a>
+&nbsp;&nbsp;Updated: </span><span>2024/03/08</span>
+<h4>SQL Injection via line comment generation</h4>
+<h5> pgJDBC all versions prior to 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 and EDB pgJDBC all versions prior to 42.5.5</h5>
+</summary>
+<hr/>
+<em>Summary:</em>&nbsp;
+pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.
+<br/>
+<a href="assessments/cve-2024-1597">Read More...</a>
+</details></td></tr>
+
+
+<tr><td>
+<details><summary><h3 style="display:inline"> CVE-2024-0985 </h3>
+<span>
+&nbsp;&nbsp;<a href="assessments/cve-2024-0985">Read Assessment</a>
+&nbsp;&nbsp;Updated: </span><span>2024/02/26</span>
+<h4>PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL</h4>
+<h5> PostgreSQL, EPAS all versions prior to 15.6.0,14.11.0,13.14.20 and 12.18.23, PGE all versions prior to 15.6.0</h5>
+</summary>
+<hr/>
+<em>Summary:</em>&nbsp;
+Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
+<br/>
+<a href="assessments/cve-2024-0985">Read More...</a>
+</details></td></tr>
+
+</table>
@@ -0,0 +1,8 @@
+---
+title: Transparent Data Encryption for Postgres
+navTitle: TDE
+description: Transparent Data Encryption (TDE) is a technology that encrypts data at rest. This guide provides an overview of TDE and how to implement it in PostgreSQL.
+---
+
+TBD
+
@@ -0,0 +1,8 @@
+---
+title: Securing EDB Postgres Advanced Server
+navTitle: Securing EPAS
+description: This section provides a comprehensive guide on how to secure your EDB Postgres Advanced Server database. Building on the PostgreSQL guides, it covers features that are unique to EPAS.
+---
+
+TBD
+
@@ -0,0 +1,8 @@
+---
+title: Securing EDB Postgres Distributed
+navTitle: Securing PGD
+description: Containing, a full explanation on why and how to secure your EDB Postgres Distributed clusters and the needs of a distributed database. Building on the PostgreSQL and EPAS security guides, this section covers the unique security considerations for distributed databases.
+---
+
+TBD
+