Wiz, a cloud security startup, disclosed a privilege escalation vulnerability in an open-source extension of a third-party PostgreSQL database. The vulnerability may introduce potential risks to some database services of cloud providers. If an attacker gains access to a PostgreSQL database that allows users to manage extensions, the attacker can exploit this vulnerability to call user-defined functions (UDFs) and perform unauthorized operations.
Alibaba Cloud detected the vulnerability during Wiz's security tests and took immediate action. The vulnerability has been fully patched across all affected services. No action is required on your part. Alibaba Cloud has confirmed that the vulnerability was never exploited in Alibaba Cloud.
Affected services
The following services were affected:
ApsaraDB RDS for PostgreSQL
AnalyticDB for PostgreSQL
PolarDB for PostgreSQL
PolarDB for Oracle
All affected services have been updated. No action is required.
Acknowledgment
Alibaba Cloud thanks Wiz for disclosing this vulnerability. Alibaba Cloud continues to work closely with Wiz to improve security for customers. Alibaba Cloud will follow up on the development of this vulnerability.
For more information or assistance, contact Alibaba Cloud technical support.