We are being told by our vulnerability scanning group at our version of PostgreSQL are at risk. As per this advisory - https://www.postgresql.org/about/news/postgresql-182-178-1612-1516-and-1421-released-3235/ , they are stating we should be moving to 14.22. Are there plans to update the NTM package to include the newer version of PostgreSQL? We are currently being given a deadline of May of this year to comply.
Thanks!
Hey Art! We’ll be updating the version of PGSQL shipped with Threat Manager to 14.22 well before May. Keep an eye out for release notes so you know when that becomes available.
Also, I forgot to mention in my last post, you can go to the EDB website and grab the latest version of PG14 and install it to replace what we shipped in the last hotfix.
A note to others that may come across this later, you must install the same major version of PGSQL, in this case 14, and you must have already installed PGSQL with our installer that we ship so it sets up the database and schema.
Haven’t seen or had this reported yet. I’m curious if you reboot the NTM server if PGSQL is going to automatically start. Based on the error, I imagine that is worth checking.
I did reboot and it did start so I guess I’m good to go. It does show 14.22 as the version as well.
Hey Kevin,
We may have unearthed a unintended consequence of installing that 14.22 patch from EDB. I was working with Mike Candon on a ticket and we tried to upgrade NTM to 3.1.528 and it failed with some generic database error and rolled back. I’m not sure where that log might be but we’re wondering if having that 14.22 patch in place screwed up the install for some reason? Thoughts? We’re back on 514 FYI.
Hey Art, the team shared that updating to a more recent version PGSQL as long as it was the same major version should cause no issues. That is definitely an unexpected scenario. Can you please work with support to get this escalated to the development team so they can review your specific scenario?
We did fix the issue with the install, all good there. We are running into the same issue in production because as far as I know, PostGreSQL is not up to 14.22 in the most recent installer. Our vulnerability will be breached at the end of the month. Any idea when the official install package will be updated?
We can do the trick using the EDB files to get it to 14.22 but I’d rather have Netwrix’s official version.
Hey Art,
Version 3.2 that is coming out on May 14th will have the updated PG14 version and the option to migrate to PG18. This is not forced, so you can plan ahead when you want to migrate to 18. PG14 is end of life in November.
The official PGSQL installer from EDB is fine to use with NTM. Feel free to use EDB to get your production on the latest PG14 now, or plan to upgrade to 3.2 by the end of the month.
