tencent cloud

Feedback

Announcement on the Risk of Privilege Escalation Vulnerability in Cloud Database PostgreSQL Open Source Plugin

Last updated: 2024-04-09 09:34:54
    Dear user,
    Recently, Tencent Cloud detected that the external security organization Wiz disclosed a privilege escalation vulnerability in an open-source extension of a third-party PostgreSQL database. If an attacker has access to a database that allows users to manage extensions, the attacker can exploit the vulnerability to call functions to execute system commands.

    [Affected Scope]

    Affected TencentDB for PostgreSQL extensions include but are not limited to the following:
    pg_cron
    adminpack
    amcheck
    file_fdw
    pageinspect
    pg_surgery
    pg_visibility
    pg_cron
    pg_bigm
    postgis
    postgis_raster
    postgis_sfcgal
    postgis_tiger_geocoder
    postgis_topology
    timescaledb
    zhparser
    tencentdb_stat
    plv8
    babelfishpg_common
    babelfishpg_money
    babelfishpg_tds
    babelfishpg_tsql
    tencentdb_superuser
    tencentdb_stat
    btree_gist
    cube
    citext
    hstore
    intagg
    intarray
    ltree
    pg_trgm
    seg

    [How to Fix]

    Tencent Cloud has the capability to monitor the exploitation of this attack and so far, no such behavior has been discovered. Considering the risks associated with the extensions, we are fixing the affected products. The extensions will be unable to be created and upgraded from 19:00 on April 20, 2023, except that those already created will be still available, and other features of the database instances remain unaffected. It is expected that after April 27, 2023, the extensions will resume after you perform a minor version upgrade in the TencentDB for PostgreSQL console. The upgrade will involve a system restart, so please prepare for service reconnection. For details, please see Upgrading kernel minor version. If you need to use such extensions, please click Submit a Ticket to contact us.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support