CVE-2021-23214 Overview
CVE-2021-23214 affects PostgreSQL servers configured to use trust authentication with a clientcert requirement or cert authentication. A man-in-the-middle (MITM) attacker positioned on the network path can inject arbitrary SQL queries during the initial connection establishment. The injection succeeds despite SSL certificate verification and encryption being enabled. The vulnerability stems from how the server processed unencrypted bytes received before the TLS handshake completed, allowing those bytes to be treated as authenticated SQL input.
Critical Impact
An authenticated network attacker can execute arbitrary SQL statements against the PostgreSQL backend with the privileges of the connecting user, leading to data tampering, disclosure, or destruction.
Affected Products
- PostgreSQL versions prior to 14.1, 13.5, 12.9, 11.14, 10.19, and 9.6.24
- Red Hat Enterprise Linux 8 and Red Hat Software Collections 1.0
- Fedora 34 and Fedora 35
Discovery Timeline
- 2022-03-04 - CVE-2021-23214 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-23214
Vulnerability Analysis
The flaw resides in the PostgreSQL backend protocol handling during the connection startup phase. When a client requests SSL with the SSLRequest message, the server responds with S and proceeds with the TLS handshake. The server failed to discard any additional bytes buffered before TLS negotiation completed. An attacker controlling the network path could prepend attacker-chosen plaintext bytes to the connection stream. Those bytes were later parsed as authenticated protocol messages after the TLS session was established.
This behavior maps to [CWE-89: SQL Injection], because adversary-controlled bytes ultimately reach the SQL parser as if they originated from the trusted client. The issue is exploitable only when authentication does not bind the client identity to the SQL session through the encrypted channel, which is the case for trust with clientcert and cert authentication modes.
Root Cause
The root cause is improper handling of pre-TLS buffered input in backend/libpq/pqcomm.c. The server consumed network bytes into its receive buffer prior to enabling encryption and did not flush that buffer when TLS started. The fix, committed as 28e2412554 in the PostgreSQL repository, discards any unread bytes from the socket before initiating the encrypted session.
Attack Vector
Exploitation requires a network-positioned attacker capable of modifying packets between the client and PostgreSQL server. The attacker injects SQL statements into the TCP stream before the TLS handshake completes. Once the legitimate client authenticates through the certificate-based mechanism, the server executes the injected statements under that user's identity. No prior credentials are required because authentication relies solely on the client certificate and not on a challenge bound to the TLS channel.
The vulnerability manifests during connection startup and cannot be triggered after a session is fully established. Refer to the PostgreSQL CVE-2021-23214 advisory for protocol-level details.
Detection Methods for CVE-2021-23214
Indicators of Compromise
- Unexpected SQL statements in PostgreSQL log_statement output that do not correlate with application activity from the same client session
- Connections originating from network paths or proxies that should not handle PostgreSQL traffic on port 5432
- TLS handshakes preceded by unusually large amounts of pre-handshake data on the PostgreSQL listener
Detection Strategies
- Enable log_statement = 'all' and log_connections = on to correlate executed SQL with authenticated session identities
- Monitor for divergence between application-issued queries and queries observed in PostgreSQL audit logs using pgaudit
- Inspect network telemetry for anomalies in the PostgreSQL startup protocol, particularly bytes transmitted before TLS negotiation
Monitoring Recommendations
- Forward PostgreSQL logs to a centralized SIEM and alert on schema-modifying statements from service accounts that normally only execute reads
- Baseline TLS handshake patterns on database listeners and alert on deviations indicative of MITM interception
- Track certificate-based authentication events and correlate with source IP and ARP table changes on database network segments
How to Mitigate CVE-2021-23214
Immediate Actions Required
- Upgrade PostgreSQL to 14.1, 13.5, 12.9, 11.14, 10.19, 9.6.24, or later
- Apply vendor updates from Red Hat, Fedora, and Gentoo as documented in Gentoo GLSA 202211-04
- Review pg_hba.conf for entries using trust with clientcert or cert authentication and audit recent connections from those sources
Patch Information
The PostgreSQL Global Development Group released fixed builds on November 11, 2021. The upstream fix is commit 28e24125541545483093819efae9bca603441951, which clears any buffered plaintext before initiating TLS. See the PostgreSQL commit details and the Red Hat bug report for distribution-specific package versions.
Workarounds
- Replace trust and cert authentication with scram-sha-256 so that authentication is cryptographically bound to user-supplied secrets in addition to certificates
- Restrict PostgreSQL listeners to trusted network segments using firewall rules and listen_addresses configuration
- Require mutual TLS through a dedicated network appliance that terminates and re-originates database connections to remove untrusted intermediaries
# Configuration example: pg_hba.conf hardening
# Replace cert-only entries with password-bound authentication
hostssl all all 10.0.0.0/8 scram-sha-256 clientcert=verify-full
# Verify installed PostgreSQL version against fixed releases
psql -V
# Expected output: psql (PostgreSQL) 14.1 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
