A security firm Wiz disclosed to Alibaba Cloud a vulnerability related to an open source PostgreSQL plug-in, which leads to elevation of user’s privilege on databases by invoking user-defined functions. An attacker can exploit the vulnerability if they have access to a PostgreSQL database that allows users to operate plug-ins. As Wiz carried out their security tests, our security system notified us of the situation, and we took immediate actions to address the issues. The vulnerabilities on all affected products have been fully remediated.
Affected products
ApsaraDB RDS for PostgreSQL
AnalyticDB for PostgreSQL
PolarDB for PostgreSQL and PolarDB for Oracle
We have updated all affected products to fix the vulnerability. No operations are needed on customers' side. The vulnerability has never been exploited in real life scenarios.
Acknowledgement
We want to acknowledge Wiz for disclosing the vulnerability. Alibaba Cloud was working closely with Wiz to deliver better security for our users on the cloud.
We will follow up on the development of this vulnerability. If you need more information or assistance, contact Alibaba Cloud technical support.