Statement on the vulnerability of a PostgreSQL open source plug-in in some Alibaba Cloud products

更新时间:
复制 MD 格式

Security firm Wiz disclosed a vulnerability in an open-source PostgreSQL plug-in that allows privilege escalation through user-defined functions. An attacker can exploit this vulnerability only if they have access to a PostgreSQL database that permits users to operate plug-ins. Alibaba Cloud's security system detected the issue during Wiz's security tests, and we took immediate action. The vulnerability has been fully remediated across all affected products.

Affected products

  • ApsaraDB RDS for PostgreSQL

  • AnalyticDB for PostgreSQL

  • PolarDB for PostgreSQL

  • PolarDB for Oracle

Customer impact

No action is required on your end. All affected products have been updated to fix the vulnerability. The vulnerability was never exploited in real-world scenarios.

Acknowledgement

We thank Wiz for responsibly disclosing this vulnerability. Alibaba Cloud worked closely with Wiz throughout the remediation process to improve security for our customers.

We will continue to monitor developments related to this vulnerability. For more information or assistance, contact Alibaba Cloud technical support.