Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rL4fR-005yRW-9r for pgsql-novice@arkaria.postgresql.org; Wed, 03 Jan 2024 17:04:33 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.94.2) (envelope-from ) id 1rL4fP-006gxs-MO for pgsql-novice@arkaria.postgresql.org; Wed, 03 Jan 2024 17:04:31 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1rL4fP-006gxk-DW for pgsql-novice@lists.postgresql.org; Wed, 03 Jan 2024 17:04:31 +0000 Received: from mail-ed1-x52d.google.com ([2a00:1450:4864:20::52d]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.94.2) (envelope-from ) id 1rL4fM-00DZ4n-Kk for pgsql-novice@lists.postgresql.org; Wed, 03 Jan 2024 17:04:29 +0000 Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-55676f1faa9so2307530a12.0 for ; Wed, 03 Jan 2024 09:04:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1704301467; x=1704906267; darn=lists.postgresql.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=k/g1rhvurX7TTY8nQr7aXIb3pBPzd9ALsywdjJ4BnLI=; b=MyjE508gJBmEz7h6e92hdM08bBXDky9fNT3EpLXkNm8cWmiMv9clBJYgDQcoosYjpw OPCawF55PfU+CzY7i+kD2+6536a6CDMOiC7qlaD+pJUOegQLoGU4pbHoBUyRnqjMB9/q gGIgGdjGsNpsF3EYVhOwzl7W8z+FfS7RO3gmb0d6TAB8anb4sx7UMxSgULFjbsezJFmv 06THRqRORWtKG+A8XY/cSNPu6NXPqwA2taUjmPqnEjFkV76sRTjJutpVxGTD3EqSnfof wGsCDy8fYaE289OcuicIcq/8LHTw6dUmZ1xDamnSJNDeG5PK9jxZm0wJrDwHENRZkaJ+ 2K5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704301467; x=1704906267; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=k/g1rhvurX7TTY8nQr7aXIb3pBPzd9ALsywdjJ4BnLI=; b=tY6FI/4ivpV7ShHO7McSxOD7YUELIOoN/xaXF6ggJFHAFdAluJ/SAHptlGCyD0qzpC sFMZuL5LcriggU+Llp9EpEKhGQHHNxQqOv+UQhphhiGz/yMTmzs10NEznwp5Hp2aIzAk zqlnkXMRwuMSB0FUjqKq6aqBhrNllVLKOPDpqmnIa4taU24mKfrlfWOHpij+9P3zEreo 5X93tfVNu8WdL9lPLlBdItcK75C8JDW40bD7yIXm8QxGzLOAvMpOb2blH+r+UKNcDJmi XY7dbWLv2Y0pbO+VDc1hDo6h+Qoyzch8pap2X50gq63YtOceBpMhkWnJ1XKOolzAVHK9 HTGA== X-Gm-Message-State: AOJu0YybSBgbIj9IAbPWEDiubUvub3MwEmrnJCsPX8Cn1cZuTz76wAki OuXADN3tDlZnYoEQyGpXZI2Vj/srniaJTGNXnkwroARvhcTetw== X-Google-Smtp-Source: AGHT+IGpZDt9f9s1q89WFsEXrlSrF7UCK2T57KRX4AVw34GaE5HGZWPsoN8HEPtcCWivWFT17TTwBPBJqlucNZKKVLA= X-Received: by 2002:a50:8adc:0:b0:548:e0d0:de86 with SMTP id k28-20020a508adc000000b00548e0d0de86mr12297021edk.39.1704301466616; Wed, 03 Jan 2024 09:04:26 -0800 (PST) MIME-Version: 1.0 From: Al Wilson Date: Wed, 3 Jan 2024 12:03:51 -0500 Message-ID: Subject: Vulnerability remediation To: pgsql-novice@lists.postgresql.org Content-Type: multipart/alternative; boundary="0000000000008206a4060e0d9b1e" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --0000000000008206a4060e0d9b1e Content-Type: text/plain; charset="UTF-8" Does anyone have any insight on this? Perhaps point to something I can read? 1. Vulnerability scanner indicates "Postgres default account: postgres/no password" 2. Scanner states Proof as "Successfully authenticated to the Postgres service with credentials uid [postgres] pw [realm] 3. Application owner initially claimed that this was a false positive, but later claimed that it was resolved within the Docker instance 1. Scanner still showed vulnerability. 4. Found article that seemed to indicate that using the --env would address the postgres image vs. the Docker. 1. https://squaredup.com/blog/running-postgres-in-docker/ 2. Scanner still shows vulnerability. 5. PostGres version is 9.5, if that makes a difference. --0000000000008206a4060e0d9b1e Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
D= oes anyone have any insight on this?=C2=A0 Perhaps point to something I can= read?
    <= li style=3D"">Vulnerability scanner indicates "Postgr= es default account: postgres/no password"
  1. Scanner=C2=A0 states Proof as "Successfully authenticat= ed to the Postgres service with credentials uid [postgres] pw [realm]
  2. Application=C2=A0owner initially= =C2=A0claimed that this was a false positive, but later claimed that it was= resolved within the Docker instance
    1. Scanner still=C2=A0showed vulnerability.
  3. Found article that seemed to indicate that using the= --env would address the postgres image vs. the Docker.
    1. https://squaredup.com/blog/running-postgres-in-docker/<= /a>
    2. Scanner still shows vulnerab= ility.
  4. PostGres version is 9.5, if tha= t makes a difference.
--0000000000008206a4060e0d9b1e--