tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
TencentDB for PostgreSQL
    Documentation
    Download PDF

    Announcement on the Risk of Privilege Escalation Vulnerability in Cloud Database PostgreSQL Open Source Plugin

    Last updated: 2024-04-09 09:34:54
    Download PDF
      Dear user,
      Recently, Tencent Cloud detected that the external security organization Wiz disclosed a privilege escalation vulnerability in an open-source extension of a third-party PostgreSQL database. If an attacker has access to a database that allows users to manage extensions, the attacker can exploit the vulnerability to call functions to execute system commands.

      [Affected Scope]

      Affected TencentDB for PostgreSQL extensions include but are not limited to the following:
      pg_cron
      adminpack
      amcheck
      file_fdw
      pageinspect
      pg_surgery
      pg_visibility
      pg_cron
      pg_bigm
      postgis
      postgis_raster
      postgis_sfcgal
      postgis_tiger_geocoder
      postgis_topology
      timescaledb
      zhparser
      tencentdb_stat
      plv8
      babelfishpg_common
      babelfishpg_money
      babelfishpg_tds
      babelfishpg_tsql
      tencentdb_superuser
      tencentdb_stat
      btree_gist
      cube
      citext
      hstore
      intagg
      intarray
      ltree
      pg_trgm
      seg

      [How to Fix]

      Tencent Cloud has the capability to monitor the exploitation of this attack and so far, no such behavior has been discovered. Considering the risks associated with the extensions, we are fixing the affected products. The extensions will be unable to be created and upgraded from 19:00 on April 20, 2023, except that those already created will be still available, and other features of the database instances remain unaffected. It is expected that after April 27, 2023, the extensions will resume after you perform a minor version upgrade in the TencentDB for PostgreSQL console. The upgrade will involve a system restart, so please prepare for service reconnection. For details, please see Upgrading kernel minor version. If you need to use such extensions, please click Submit a Ticket to contact us.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy