Wiz, a cloud security startup, disclosed to Alibaba Cloud a privilege escalation vulnerability that is detected in an open source extension of a third-party PostgreSQL database. The vulnerability may introduce potential risks to some database services of cloud providers. If an attacker has access to a PostgreSQL database that allows users to manage extensions, the attacker can exploit the vulnerability to call user-defined functions to perform unauthorized operations. When Wiz carried out security tests, Alibaba Cloud detects the risks at the earliest opportunity and takes immediate security measures to respond to the vulnerability. The vulnerability has been fixed in Alibaba Cloud.
Affected scope
ApsaraDB RDS for PostgreSQL
AnalyticDB for PostgreSQL
PolarDB for PostgreSQL and PolarDB for Oracle
Alibaba Cloud has updated all affected services after the vulnerability is fixed. You do not need to take any actions. Alibaba Cloud confirms that the vulnerability has never been exploited in Alibaba Cloud.
Acknowledgment
Alibaba Cloud thanks Wiz for disclosing the vulnerability. Alibaba Cloud has been collaborating closely with Wiz to deliver better security for customers.
Alibaba Cloud will follow up on the development of this vulnerability. If you need more information or assistance, contact Alibaba Cloud technical support.