Skip to content

DRAFT: FDW security advisories (mysql_fdw / mongo_fdw / hdfs_fdw)#7189

Closed
vtran-edb wants to merge 5 commits into
developfrom
security/fdw-advisories-draft
Closed

DRAFT: FDW security advisories (mysql_fdw / mongo_fdw / hdfs_fdw)#7189
vtran-edb wants to merge 5 commits into
developfrom
security/fdw-advisories-draft

Conversation

@vtran-edb

@vtran-edb vtran-edb commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Summary

Draft security advisories for the three foreign data wrappers, covering the vulnerabilities fixed under FDW-753 / FDW-754 / FDW-755 / FDW-759. Seven advisory .mdx files (formatted to cve.mdx.template) plus the regenerated indexes.

Still a DRAFT — CVE IDs are now assigned, but First Published dates and first-fix release versions remain to be set before publication.

Advisories

File CVE ID Component CWE CVSS
cve202662151 CVE-2026-62151 mysql_fdw CWE-89 8.1 High
cve202662152 CVE-2026-62152 mysql_fdw CWE-269 / CWE-73 8.0 High
cve202662153 CVE-2026-62153 mysql_fdw CWE-89 7.2 High
cve202662154 CVE-2026-62154 mysql_fdw CWE-89 7.4 High
cve202662155 CVE-2026-62155 mongo_fdw CWE-74 / CWE-88 5.4 Medium
cve202662156 CVE-2026-62156 hdfs_fdw CWE-89 7.7 High
cve202662157 CVE-2026-62157 mongo_fdw CWE-125 4.2 Medium

CVE IDs reserved from the EDB CNA on 2026-07-13. All fixes reviewed against the final patch series (mongo v333, mysql v4444, hdfs v22).

Remaining before publishing

  • First Published date — currently TBD (advisories group under a "Released TBD" section until set).
  • First-fix release version — Remediation tables say "Pending release"; affected versions captured (mysql_fdw ≤ REL-2_9_3, mongo_fdw ≤ v3.0 / REL-5_5_3, hdfs_fdw ≤ v2.3.3). Confirm the earliest affected release.
  • Re-run tools/automation/generators/advisoryindex after dates are set so the index regroups by year.

Reviewer notes

  • CVE-2026-62155 (mongo_fdw URI injection) is rated 5.4 Medium, not the originally-proposed 8.5 High. The TLS-downgrade path requires server-owner privilege (authentication_database/replica_set are server options), not a plain user mapping; the low-privilege vector is connection redirection. See the advisory's Note block.
  • CVE-2026-62157 (mongo_fdw ObjectId OOB read) is borderline; PSIRT to confirm whether a CVE is warranted. Its fix (5d48478, FDW-753 v333-0002) has been reviewed and confirmed.

index.mdx and security/index.mdx were regenerated with the official generator (not hand-edited).

🤖 Generated with Claude Code

Add seven draft CVE advisories for the MySQL, MongoDB, and HDFS foreign
data wrappers, formatted to the security advisory template, plus the
regenerated advisories index.

DRAFT for dev-team review before publication. Placeholders remain:
- CVE IDs (CVE-YYYY-NNNN) pending assignment
- First Published dates and first-fix release versions
- CVE-G (mongo_fdw ObjectId OOB read) has an unresolved traceability gap
  and MUST NOT be published until commit 5d48478 is reviewed.

index.mdx regenerated via tools/automation/generators/advisoryindex.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mpfuster mpfuster added the oncall label Jul 6, 2026
vtran-edb and others added 4 commits July 13, 2026 09:36
…5d48478)

The mongo_fdw ObjectId out-of-bounds fix was supplied as FDW-753 patch
v333-0002 (commit 5d48478) and has now been reviewed and confirmed:
12-byte bytea length check in append_mongo_value() and a
bson_oid_is_valid() gate in bsonOidFromString(), with a regression test.

Resolves the earlier traceability gap; CVE-G is no longer a publication
blocker. Remains borderline pending PSIRT's CVE determination.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…advisories A-D

The final squashed mysql_fdw commits were supplied as FDW-754 patches
v4444-0003 (8d01880, SQL injection) and v4444-0004 (cad96fe, superuser
gating) and have now been reviewed and confirmed:

- CVE-A: NO_BACKSLASH_ESCAPES + single-quote-only escaping (multibyte
  charset fix) present in v4444-0003 (was previously only in FDW-759).
- CVE-B: v4444-0004 gates init_command AND mysql_default_file/ssl_*
  (both facets; the file-read gating was absent from the v1 patch).
- CVE-C/D: analyze/IMPORT/sql_mode escaping and hostile-server IMPORT
  DDL quoting confirmed.

Remediation references updated to cite the reviewed final patches.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…sory

The final squashed hdfs_fdw commits were supplied as FDW-755 patches
v22-0002 (657029b, HiveQL injection + credential exposure) and v22-0001
(4aa0df9, hardening) and have now been reviewed and confirmed:

- CVE-F (v22-0002): single-quote doubling in hdfs_deparse_string(),
  trustStorePassword redaction (C DEBUG3 + JDBC), explicit_bzero of
  credentials and the connstr buffer.
- Companion hardening (v22-0001, no CVE): dbname/table_name identifier
  validation and removal of the dummy userName/password fallback.

The exploitable-vs-hardening split holds in the final versions.
Remediation reference updated to cite the reviewed final patch.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…62157)

Replace the CVE-YYYY-NNNN placeholders with the reserved EDB CNA IDs and
rename the files to the cve<year><number>.mdx convention:

  cve202662151  A  mysql_fdw multibyte-charset SQL injection
  cve202662152  B  mysql_fdw privileged connection options
  cve202662153  C  mysql_fdw SQLi via ANALYZE/IMPORT/sql_mode
  cve202662154  D  mysql_fdw local injection from hostile server on IMPORT
  cve202662155  E  mongo_fdw connection-URI injection
  cve202662156  F  hdfs_fdw HiveQL injection
  cve202662157  G  mongo_fdw ObjectId out-of-bounds read

Indexes regenerated via tools/automation/generators/advisoryindex.
Still draft: First Published dates and first-fix release versions remain
to be set before publication.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vtran-edb

Copy link
Copy Markdown
Contributor Author

Closing and removing this branch. These draft FDW security advisories (CVE-2026-62151..62157) are being migrated to the internal EnterpriseDB/docs-editorial repository, per the CVE Handling SOP — security advisories are authored and reviewed there, not in the public docs repo. Removing the pre-publication CVE content from the public repository.

@vtran-edb vtran-edb closed this Jul 13, 2026
@vtran-edb vtran-edb deleted the security/fdw-advisories-draft branch July 13, 2026 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants