PostgreSQL products must be a version supported by the vendor.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-261937	SRG-APP-000456-DB-000400	CD16-00-009300	SV-261937r1000974_rule	2024-06-17	1

Description
Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.

Description

Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.

ℹ️ Check
If new packages are available for PostgreSQL, they can be reviewed in the package manager appropriate for the server operating system: To list the version of installed PostgreSQL using psql: $ sudo su - postgres $ psql --version To list the current version of software for RPM: $ rpm -qa \| grep postgres To list the current version of software for APT: $ apt-cache policy postgres All versions of PostgreSQL are listed here: http://www.postgresql.org/support/versioning/ All security-relevant software updates for PostgreSQL are listed here: http://www.postgresql.org/support/security/ If PostgreSQL is not at the latest version, this is a finding. If PostgreSQL is not at the latest version and the evaluated version has CVEs (IAVAs), this is a CAT I finding.

ℹ️ Check

If new packages are available for PostgreSQL, they can be reviewed in the package manager appropriate for the server operating system: To list the version of installed PostgreSQL using psql: $ sudo su - postgres $ psql --version To list the current version of software for RPM: $ rpm -qa | grep postgres To list the current version of software for APT: $ apt-cache policy postgres All versions of PostgreSQL are listed here: http://www.postgresql.org/support/versioning/ All security-relevant software updates for PostgreSQL are listed here: http://www.postgresql.org/support/security/ If PostgreSQL is not at the latest version, this is a finding. If PostgreSQL is not at the latest version and the evaluated version has CVEs (IAVAs), this is a CAT I finding.

✔️ Fix
Institute and adhere to policies and procedures to ensure that patches are consistently applied to PostgreSQL within the time allowed.