Multiple High CVEs addressed in cpe:2.3:a:postgresql:postgresql, Version: 10.21

[mikebou]

Our security team is flagging the current Datadog agent build for 3 High Severity CVEs that have been addressed in the cpe:2.3:a:postgresql:postgresql, Version: 10.19 library.

Our corporate policy is to address High and Critical CVEs within 90 days of a released fix.

    CVE-2022-1552, Severity: HIGH, Source: https://nvd.nist.gov/vuln/detail/CVE-2022-1552
        CVSS score: 8.8, CVSS exploitability score: 2.8
        Fixed version: 10.21
        Grace period expired 
    CVE-2022-2625, Severity: HIGH, Source: https://nvd.nist.gov/vuln/detail/CVE-2022-2625
        CVSS score: 8, CVSS exploitability score: 2.1
        Fixed version: 10.22
        Grace period expired
    CVE-2023-32305, Severity: HIGH, Source: https://nvd.nist.gov/vuln/detail/CVE-2023-32305
        CVSS score: 8.8, CVSS exploitability score: 2.8
        Fixed version: 10.23
        Grace period expired

Please update the agent with at least 10.23 to address these resolved CVEs.

[cvirtucio]

version 7.50 of the datadog-agent doesn't include the postgres binary that those three CVEs mention. so if you use the install script, setting DD_AGENT_MAJOR_VERSION=7 and DD_AGENT_MINOR_VERSION=50 should do it, e.g.:

DD_AGENT_MAJOR_VERSION=7 DD_AGENT_MINOR_VERSION=50 ~/install_script_agent7.sh