tencent cloud

Announcement on the Risk of Privilege Escalation Vulnerability in Cloud Database PostgreSQL Open Source Plugin
마지막 업데이트 시간:2024-04-09 09:34:54
Announcement on the Risk of Privilege Escalation Vulnerability in Cloud Database PostgreSQL Open Source Plugin
마지막 업데이트 시간: 2024-04-09 09:34:54
Dear user,
Recently, Tencent Cloud detected that the external security organization Wiz disclosed a privilege escalation vulnerability in an open-source extension of a third-party PostgreSQL database. If an attacker has access to a database that allows users to manage extensions, the attacker can exploit the vulnerability to call functions to execute system commands.

[Affected Scope]

Affected TencentDB for PostgreSQL extensions include but are not limited to the following:
pg_cron
adminpack
amcheck
file_fdw
pageinspect
pg_surgery
pg_visibility
pg_cron
pg_bigm
postgis
postgis_raster
postgis_sfcgal
postgis_tiger_geocoder
postgis_topology
timescaledb
zhparser
tencentdb_stat
plv8
babelfishpg_common
babelfishpg_money
babelfishpg_tds
babelfishpg_tsql
tencentdb_superuser
tencentdb_stat
btree_gist
cube
citext
hstore
intagg
intarray
ltree
pg_trgm
seg

[How to Fix]

Tencent Cloud has the capability to monitor the exploitation of this attack and so far, no such behavior has been discovered. Considering the risks associated with the extensions, we are fixing the affected products. The extensions will be unable to be created and upgraded from 19:00 on April 20, 2023, except that those already created will be still available, and other features of the database instances remain unaffected. It is expected that after April 27, 2023, the extensions will resume after you perform a minor version upgrade in the TencentDB for PostgreSQL console. The upgrade will involve a system restart, so please prepare for service reconnection. For details, please see Upgrading kernel minor version. If you need to use such extensions, please click Submit a Ticket to contact us.
문제 해결에 도움이 되었나요?
더 자세한 내용은 문의하기 또는 티켓 제출 을 통해 문의할 수 있습니다.
아니오

피드백