Product:
CINC Server (Chef Server community distribution)
Summary:
The distribution includes an embedded PostgreSQL 9.6 binary which is end-of-life and no longer receives security updates. This introduces exposure to unpatched and future vulnerabilities.
Details:
Vulnerability scan identified:
-
/opt/cinc-project/embedded/postgresql/9.6/bin/postgres
Version: 9.6.23 (EOL)
-
/opt/cinc-project/embedded/postgresql/13/bin/postgres
Version: 13.6 (supported major, but outdated patch level)
PostgreSQL 9.6 has been unsupported since November 2021 and receives no security fixes.
Impact:
Shipping an EOL database component may expose deployments to known and future CVEs. Risk depends on whether the 9.6 binaries are reachable or used in any execution paths, but their presence alone is typically flagged as a critical compliance and security finding.
Reproduction:
- Deploy CINC Server
- Inspect embedded binaries under /opt/cinc-project/embedded/postgresql/
- Confirm presence of 9.6 installation and version output
Expected Behavior:
- No end-of-life PostgreSQL versions included in distribution
- All embedded database components on supported and patched versions
Actual Behavior:
- PostgreSQL 9.6 is bundled alongside newer versions
Request:
- Remove PostgreSQL 9.6 from distribution, or upgrade all embedded components to a supported version
- Confirm whether 9.6 is used in any runtime or migration paths
- Provide remediation guidance for affected customers
Severity:
High (use of unsupported component with no security patching)
References:
https://www.postgresql.org/support/versioning/
Additional Notes:
This was identified via automated vulnerability scanning in a production deployment.
Product:
CINC Server (Chef Server community distribution)
Summary:
The distribution includes an embedded PostgreSQL 9.6 binary which is end-of-life and no longer receives security updates. This introduces exposure to unpatched and future vulnerabilities.
Details:
Vulnerability scan identified:
/opt/cinc-project/embedded/postgresql/9.6/bin/postgres
Version: 9.6.23 (EOL)
/opt/cinc-project/embedded/postgresql/13/bin/postgres
Version: 13.6 (supported major, but outdated patch level)
PostgreSQL 9.6 has been unsupported since November 2021 and receives no security fixes.
Impact:
Shipping an EOL database component may expose deployments to known and future CVEs. Risk depends on whether the 9.6 binaries are reachable or used in any execution paths, but their presence alone is typically flagged as a critical compliance and security finding.
Reproduction:
Expected Behavior:
Actual Behavior:
Request:
Severity:
High (use of unsupported component with no security patching)
References:
https://www.postgresql.org/support/versioning/
Additional Notes:
This was identified via automated vulnerability scanning in a production deployment.