CVE-2021-23214 Overview
CVE-2021-23214 is a Man-in-the-Middle SQL Injection vulnerability affecting PostgreSQL database servers. When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
Critical Impact
Attackers can inject malicious SQL queries during the SSL handshake phase, potentially leading to unauthorized data access, data manipulation, or complete database compromise even when SSL encryption is enabled.
Affected Products
- PostgreSQL (multiple versions including 14.0)
- Fedora 34 and 35
- Red Hat Enterprise Linux 8.0
- Red Hat Software Collections 1.0
- Red Hat Enterprise Linux for IBM z Systems 8.0
- Red Hat Enterprise Linux for Power Little Endian 8.0
Discovery Timeline
- 2022-03-04 - CVE-2021-23214 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-23214
Vulnerability Analysis
This vulnerability exploits a race condition in PostgreSQL's SSL/TLS connection establishment process. The flaw allows an attacker positioned between a client and server to inject data into the connection buffer before the SSL handshake completes. Due to improper validation of buffered data during the transition from unencrypted to encrypted communication, PostgreSQL would process data received before encryption was established as if it were legitimate encrypted traffic.
The vulnerability is particularly dangerous because it bypasses the security guarantees that SSL/TLS certificate authentication is supposed to provide. Organizations relying on client certificates for database authentication believed they had strong security controls in place, but this flaw undermined those protections entirely. The attack requires the attacker to be in a network position to intercept traffic (man-in-the-middle), which adds complexity but is achievable in many enterprise and cloud environments.
Root Cause
The root cause lies in PostgreSQL's failure to verify that no data was buffered before the SSL handshake completed. The server's connection handling code would accept and process any data that arrived in the receive buffer prior to SSL negotiation, treating it as legitimate post-encryption traffic. This design oversight meant that an attacker could send malicious SQL commands during the brief window between initial TCP connection and SSL establishment, and those commands would be executed with the privileges of the authenticated user.
Attack Vector
The attack requires a network-level man-in-the-middle position between the PostgreSQL client and server. The attacker intercepts the initial connection attempt and injects arbitrary SQL queries into the data stream before the SSL handshake completes. When the legitimate SSL connection is established and the client authenticates via certificate, the previously injected SQL commands are processed as if they came from the authenticated client. This allows the attacker to execute queries with the full privileges of the certificate-authenticated user, which often has elevated database permissions.
// Security patch in src/backend/postmaster/postmaster.c
// Source: https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951
return STATUS_ERROR;
#endif
+ /*
+ * At this point we should have no data already buffered. If we do,
+ * it was received before we performed the SSL handshake, so it wasn't
+ * encrypted and indeed may have been injected by a man-in-the-middle.
+ * We report this case to the client.
+ */
+ if (pq_buffer_has_data())
+ ereport(FATAL,
+ (errcode(ERRCODE_PROTOCOL_VIOLATION),
+ errmsg("received unencrypted data after SSL request"),
+ errdetail("This could be either a client-software bug or evidence of an attempted man-in-the-middle attack.")));
+
/*
* regular startup packet, cancel, etc packet should follow, but not
* another SSL negotiation request, and a GSS request should only
The patch adds a new function pq_buffer_has_data() to check for buffered data and validates that no unencrypted data exists in the buffer after SSL handshake:
// Security patch in src/backend/libpq/pqcomm.c
// Source: https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951
return 0;
}
+/* --------------------------------
+ * pq_buffer_has_data - is any buffered data available to read?
+ *
+ * This will *not* attempt to read more data.
+ * --------------------------------
+ */
+bool
+pq_buffer_has_data(void)
+{
+ return (PqRecvPointer < PqRecvLength);
+}
+
/* --------------------------------
* pq_startmsgread - begin reading a message from the client.
Detection Methods for CVE-2021-23214
Indicators of Compromise
- PostgreSQL error logs containing "received unencrypted data after SSL request" messages (indicates patched server detected attack attempt)
- Unusual SQL query patterns immediately following client certificate authentication
- Network traffic anomalies showing data injection between TCP SYN and SSL handshake completion
- Database audit logs showing queries executed that don't match client application patterns
Detection Strategies
- Deploy network intrusion detection systems (IDS) to monitor for anomalous traffic patterns during PostgreSQL SSL handshake sequences
- Enable PostgreSQL logging with log_connections = on and log_statement = all to capture authentication and query activity
- Implement database activity monitoring (DAM) solutions to detect suspicious query patterns from certificate-authenticated connections
- Use SentinelOne Singularity to monitor PostgreSQL process behavior and detect anomalous database operations
Monitoring Recommendations
- Configure alerting for PostgreSQL protocol violation errors in application and system logs
- Monitor for unexpected database schema changes or data exfiltration patterns
- Establish baseline network behavior for PostgreSQL connections and alert on deviations during connection establishment
- Review certificate authentication logs for connections that execute unexpected administrative queries
How to Mitigate CVE-2021-23214
Immediate Actions Required
- Upgrade PostgreSQL to a patched version immediately (versions released after November 2021)
- Audit database logs for any suspicious activity that may indicate prior exploitation
- Review network architecture to minimize exposure of PostgreSQL servers to potential MITM positions
- Consider implementing additional network-level encryption (VPN, IPsec) for database traffic in sensitive environments
Patch Information
PostgreSQL has released security patches addressing this vulnerability. The fix introduces the pq_buffer_has_data() function to detect and reject any data present in the receive buffer after SSL handshake completion. Patched servers will terminate connections with a FATAL error if pre-handshake data is detected, logging a message indicating a potential man-in-the-middle attack.
For detailed patch information, refer to the PostgreSQL Security Advisory for CVE-2021-23214 and the GitHub commit 28e24125. Red Hat users should consult the Red Hat Bug Report for distribution-specific patches.
Workarounds
- Implement network segmentation to isolate PostgreSQL servers and reduce MITM attack surface
- Use VPN tunnels or IPsec for all PostgreSQL client-server communication as an additional encryption layer
- Deploy PostgreSQL behind a reverse proxy or load balancer that performs SSL termination in a trusted network zone
- Consider temporarily disabling remote certificate-based authentication if patching is not immediately possible
# Configuration example - Enable comprehensive PostgreSQL logging for detection
# Add to postgresql.conf
# Enable connection logging
log_connections = on
log_disconnections = on
# Log all statements for forensic analysis
log_statement = 'all'
# Enable SSL debugging (temporary for investigation)
ssl = on
ssl_cert_file = '/path/to/server.crt'
ssl_key_file = '/path/to/server.key'
ssl_ca_file = '/path/to/ca.crt'
# Require SSL for all connections
# In pg_hba.conf, use 'hostssl' instead of 'host'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
