All Products
Document Center

[Vulnerability notice] Weak password vulnerability in PostgreSQL

Last Updated: Nov 27, 2018

PostgreSQL is a powerful open source object-relational database system. This document provides some fixes for weak password vulnerability in using PostgreSQL.


  • Stop running PostgreSQL with root account. We recommend that you run the database with an independent account.

    1. adduser dbuser sudo su - dbuser
  • Change the password of the database account to a strong password. For example,

    1. alter user postgres with password 'aliyunSecurity1234*_*';
  • Enable password authentication.

    Check whether the PostgreSQL configuration file pg_hba.conf contains host all all trust. If so, we recommend you change it to password authentication.

  • Check for any malicious UDFs.

    1. select proname,prosrc from pg_proc where proname = 'exec111';
  • Check for any suspicious UDFs.

    1. select proname,prosrc from pg_proc;
    2. //Check which functions are not pre-set by the system, or not added by the administrator.
  • Check for any suspicious triggers.

    1. select tgrelid from pg_trigger;
  • Check whether the /tmp/ file exists on the server.