edit-icon download-icon

[Vulnerability notice] Weak password vulnerability in PostgreSQL

Last Updated: Nov 27, 2018

PostgreSQL is a powerful open source object-relational database system. This document provides some fixes for weak password vulnerability in using PostgreSQL.

Fix

  • Stop running PostgreSQL with root account. We recommend that you run the database with an independent account.

    1. adduser dbuser sudo su - dbuser
  • Change the password of the database account to a strong password. For example,

    1. alter user postgres with password 'aliyunSecurity1234*_*';
  • Enable password authentication.

    Check whether the PostgreSQL configuration file pg_hba.conf contains host all all 0.0.0.0/0 trust. If so, we recommend you change it to password authentication.

  • Check for any malicious UDFs.

    1. select proname,prosrc from pg_proc where proname = 'exec111';
  • Check for any suspicious UDFs.

    1. select proname,prosrc from pg_proc;
    2. //Check which functions are not pre-set by the system, or not added by the administrator.
  • Check for any suspicious triggers.

    1. select tgrelid from pg_trigger;
  • Check whether the /tmp/testproxy.so file exists on the server.

Thank you! We've received your feedback.