- Release Notes and Announcements
- Release Notes
- Open-Source Plugin Privilege Escalation Has Vulnerability Risk for PostgreSQL
- Announcements
- Security Risk Statement for Creating Partial Plugins in PostgreSQL Cloud Database
- TencentDB for PostgreSQL Will Start Billing for Backup Space
- Some Extensions on Lower Kernel Version Can't Be Created and Upgraded in TencentDB for PostgreSQL
- Announcement on the Risk of Privilege Escalation Vulnerability in Cloud Database PostgreSQL Open Source Plugin
- Product Introduction
- Purchase Guide
- Getting Started
- Kernel Version Introduction
- Operation Guide
- Instance Management
- Instance Lifecycle
- Setting Instance Maintenance Time
- Modifying Instance Configuration
- Setting instance availability zone for disaster recovery or region disaster recovery
- Modifying AZs
- Terminating Instances
- Restoring Instances
- Eliminating Instances
- Restarting Instances
- Modifying Data Replication Mode
- Switch Source-Replica Instance
- Upgrading Instance
- Read-Only Instance
- Account Management
- Database Management
- Database Optimization
- Parameter Management
- Log management
- Backup and Restoration
- Backup Principles and Solutions
- Backing up Data
- Downloading Backup
- Cloning Instance
- Automatic Backup Settings
- Restoring PostgreSQL Data on CVMs
- Deleting Backup
- Viewing Backup Space
- Setting Backup Download Rules
- Use Serverless Cloud Function to Transfer Historical Backups of PostgreSQL
- Rollback to the Original Instance
- Physical Migration
- Database Audit
- Extension Management
- Network Management
- Access Management
- Data Encryption
- Tenant and Resource Isolation
- Security Groups
- Monitoring and Alarms
- Tag
- Instance Management
- PostgreSQL for Serverless
- MSSQL Compatible Version
- Practical Tutorial
- postgres_fdw Extension for Cross-database Access
- Automatically Creating Partition in PostgreSQL
- Searching in High Numbers of Tags Based on pg_roaringbitmap
- Querying People Nearby with One SQL Statement
- Configuring TencentDB for PostgreSQL as GitLab's External Data Source
- Supporting Tiered Storage Based on cos_fdw Extension
- Implement Read/Write Separation via pgpool
- Analyzing Slow SQL Using the auto_explain Plugin
- Using pglogical for Logical Replication
- Performance White Paper
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- CreateInstances
- DescribeDBInstances
- DescribeDBInstanceAttribute
- DescribeEncryptionKeys
- DescribeDBInstanceHAConfig
- SwitchDBInstancePrimary
- ModifyDBInstanceName
- ModifyDBInstanceSpec
- ModifyDBInstanceDeployment
- UpgradeDBInstanceKernelVersion
- ModifyDBInstanceHAConfig
- ModifyDBInstanceChargeType
- ModifyDBInstancesProject
- ModifySwitchTimePeriod
- RenewInstance
- SetAutoRenewFlag
- RestartDBInstance
- IsolateDBInstances
- DisIsolateDBInstances
- DestroyDBInstance
- CreateDBInstances
- InitDBInstances
- UpgradeDBInstance
- UpgradeDBInstanceMajorVersion
- Read-only Replica APIs
- Backup and Recovery APIs
- DescribeAvailableRecoveryTime
- DescribeCloneDBInstanceSpec
- CloneDBInstance
- RestoreDBInstanceObjects
- DescribeBackupOverview
- DescribeBackupSummaries
- DescribeBackupPlans
- ModifyBackupPlan
- CreateBaseBackup
- DescribeBaseBackups
- ModifyBaseBackupExpireTime
- DeleteBaseBackup
- DescribeLogBackups
- DeleteLogBackup
- DescribeBackupDownloadURL
- DescribeBackupDownloadRestriction
- ModifyBackupDownloadRestriction
- DescribeDBXlogs
- DescribeDBBackups
- Parameter Management APIs
- Security Group APIs
- Performance Optimization APIs
- Account APIs
- Specification APIs
- PostgreSQL for Serverless APIs
- Network APIs
- Data Types
- Error Codes
- FAQs
- Service Agreement
- Glossary
- Contact Us
- Release Notes and Announcements
- Release Notes
- Open-Source Plugin Privilege Escalation Has Vulnerability Risk for PostgreSQL
- Announcements
- Security Risk Statement for Creating Partial Plugins in PostgreSQL Cloud Database
- TencentDB for PostgreSQL Will Start Billing for Backup Space
- Some Extensions on Lower Kernel Version Can't Be Created and Upgraded in TencentDB for PostgreSQL
- Announcement on the Risk of Privilege Escalation Vulnerability in Cloud Database PostgreSQL Open Source Plugin
- Product Introduction
- Purchase Guide
- Getting Started
- Kernel Version Introduction
- Operation Guide
- Instance Management
- Instance Lifecycle
- Setting Instance Maintenance Time
- Modifying Instance Configuration
- Setting instance availability zone for disaster recovery or region disaster recovery
- Modifying AZs
- Terminating Instances
- Restoring Instances
- Eliminating Instances
- Restarting Instances
- Modifying Data Replication Mode
- Switch Source-Replica Instance
- Upgrading Instance
- Read-Only Instance
- Account Management
- Database Management
- Database Optimization
- Parameter Management
- Log management
- Backup and Restoration
- Backup Principles and Solutions
- Backing up Data
- Downloading Backup
- Cloning Instance
- Automatic Backup Settings
- Restoring PostgreSQL Data on CVMs
- Deleting Backup
- Viewing Backup Space
- Setting Backup Download Rules
- Use Serverless Cloud Function to Transfer Historical Backups of PostgreSQL
- Rollback to the Original Instance
- Physical Migration
- Database Audit
- Extension Management
- Network Management
- Access Management
- Data Encryption
- Tenant and Resource Isolation
- Security Groups
- Monitoring and Alarms
- Tag
- Instance Management
- PostgreSQL for Serverless
- MSSQL Compatible Version
- Practical Tutorial
- postgres_fdw Extension for Cross-database Access
- Automatically Creating Partition in PostgreSQL
- Searching in High Numbers of Tags Based on pg_roaringbitmap
- Querying People Nearby with One SQL Statement
- Configuring TencentDB for PostgreSQL as GitLab's External Data Source
- Supporting Tiered Storage Based on cos_fdw Extension
- Implement Read/Write Separation via pgpool
- Analyzing Slow SQL Using the auto_explain Plugin
- Using pglogical for Logical Replication
- Performance White Paper
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Instance APIs
- CreateInstances
- DescribeDBInstances
- DescribeDBInstanceAttribute
- DescribeEncryptionKeys
- DescribeDBInstanceHAConfig
- SwitchDBInstancePrimary
- ModifyDBInstanceName
- ModifyDBInstanceSpec
- ModifyDBInstanceDeployment
- UpgradeDBInstanceKernelVersion
- ModifyDBInstanceHAConfig
- ModifyDBInstanceChargeType
- ModifyDBInstancesProject
- ModifySwitchTimePeriod
- RenewInstance
- SetAutoRenewFlag
- RestartDBInstance
- IsolateDBInstances
- DisIsolateDBInstances
- DestroyDBInstance
- CreateDBInstances
- InitDBInstances
- UpgradeDBInstance
- UpgradeDBInstanceMajorVersion
- Read-only Replica APIs
- Backup and Recovery APIs
- DescribeAvailableRecoveryTime
- DescribeCloneDBInstanceSpec
- CloneDBInstance
- RestoreDBInstanceObjects
- DescribeBackupOverview
- DescribeBackupSummaries
- DescribeBackupPlans
- ModifyBackupPlan
- CreateBaseBackup
- DescribeBaseBackups
- ModifyBaseBackupExpireTime
- DeleteBaseBackup
- DescribeLogBackups
- DeleteLogBackup
- DescribeBackupDownloadURL
- DescribeBackupDownloadRestriction
- ModifyBackupDownloadRestriction
- DescribeDBXlogs
- DescribeDBBackups
- Parameter Management APIs
- Security Group APIs
- Performance Optimization APIs
- Account APIs
- Specification APIs
- PostgreSQL for Serverless APIs
- Network APIs
- Data Types
- Error Codes
- FAQs
- Service Agreement
- Glossary
- Contact Us
Announcement on the Risk of Privilege Escalation Vulnerability in Cloud Database PostgreSQL Open Source Plugin
Last updated: 2024-04-09 09:34:54
Dear user,
Recently, Tencent Cloud detected that the external security organization Wiz disclosed a privilege escalation vulnerability in an open-source extension of a third-party PostgreSQL database. If an attacker has access to a database that allows users to manage extensions, the attacker can exploit the vulnerability to call functions to execute system commands.
[Affected Scope]
Affected TencentDB for PostgreSQL extensions include but are not limited to the following:
pg_cron
adminpack
amcheck
file_fdw
pageinspect
pg_surgery
pg_visibility
pg_cron
pg_bigm
postgis
postgis_raster
postgis_sfcgal
postgis_tiger_geocoder
postgis_topology
timescaledb
zhparser
tencentdb_stat
plv8
babelfishpg_common
babelfishpg_money
babelfishpg_tds
babelfishpg_tsql
tencentdb_superuser
tencentdb_stat
btree_gist
cube
citext
hstore
intagg
intarray
ltree
pg_trgm
seg
[How to Fix]
Tencent Cloud has the capability to monitor the exploitation of this attack and so far, no such behavior has been discovered. Considering the risks associated with the extensions, we are fixing the affected products. The extensions will be unable to be created and upgraded from 19:00 on April 20, 2023, except that those already created will be still available, and other features of the database instances remain unaffected. It is expected that after April 27, 2023, the extensions will resume after you perform a minor version upgrade in the TencentDB for PostgreSQL console. The upgrade will involve a system restart, so please prepare for service reconnection. For details, please see Upgrading kernel minor version. If you need to use such extensions, please click Submit a Ticket to contact us.
Yes
No
Was this page helpful?