tencent cloud

Feedback

Open-Source Plugin Privilege Escalation Has Vulnerability Risk for PostgreSQL

Last updated: 2023-07-06 15:11:51
    
    We have detected that Wiz, an external security organization, disclosed a privilege escalation vulnerability in an open-source PostgreSQL database extension. This vulnerability allows attackers with database login privileges and operable extensions to execute arbitrary functions for system command execution.

    Impacts

    Affected TencentDB for PostgreSQL extensions include but are not limited to the following:
    pg_cron
    adminpack
    amcheck
    file_fdw
    pageinspect
    pg_surgery
    pg_visibility
    pg_cron
    pg_bigm
    postgis
    postgis_raster
    postgis_sfcgal
    postgis_tiger_geocoder
    postgis_topology
    timescaledb
    zhparser
    tencentdb_stat
    plv8
    babelfishpg_common
    babelfishpg_money
    babelfishpg_tds
    babelfishpg_tsql
    tencentdb_superuser
    tencentdb_stat
    btree_gist
    cube
    citext
    hstore
    intagg
    intarray
    ltree
    pg_trgm
    seg

    Suggestions

    Currently, we haven’t observed the abuse of this vulnerability in TencentDB for PostgreSQL. But considering extension risks, we are fixing the affected products. We will disable the creation and the upgrade of these extensions after 18:00 on April 20, 2023. The created extensions can still be used without affecting the normal use of other features for the instance. You can upgrade minor version in a self-service manner in the TencentDB for PostgreSQL console to restore the use of extensions after April 27, 2023. As the system will be restarted during the upgrade, ensure that your business has a reconnection mechanism. For more information, see Upgrading Kernel Minor Version. If you need to use such extensions, submit a ticket.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support