Dear user,
Recently, Tencent Cloud detected that the external security organization Wiz disclosed a privilege escalation vulnerability in an open-source extension of a third-party PostgreSQL database. If an attacker has access to a database that allows users to manage extensions, the attacker can exploit the vulnerability to call functions to execute system commands.
[Affected Scope]
Affected TencentDB for PostgreSQL extensions include but are not limited to the following:
pg_cron
adminpack
amcheck
file_fdw
pageinspect
pg_surgery
pg_visibility
pg_cron
pg_bigm
postgis
postgis_raster
postgis_sfcgal
postgis_tiger_geocoder
postgis_topology
timescaledb
zhparser
tencentdb_stat
plv8
babelfishpg_common
babelfishpg_money
babelfishpg_tds
babelfishpg_tsql
tencentdb_superuser
tencentdb_stat
btree_gist
cube
citext
hstore
intagg
intarray
ltree
pg_trgm
seg
[How to Fix]
Tencent Cloud has the capability to monitor the exploitation of this attack and so far, no such behavior has been discovered. Considering the risks associated with the extensions, we are fixing the affected products. The extensions will be unable to be created and upgraded from 19:00 on April 20, 2023, except that those already created will be still available, and other features of the database instances remain unaffected. It is expected that after April 27, 2023, the extensions will resume after you perform a minor version upgrade in the TencentDB for PostgreSQL console. The upgrade will involve a system restart, so please prepare for service reconnection. For details, please see Upgrading kernel minor version. If you need to use such extensions, please click Submit a Ticket to contact us.
Was this page helpful?