Critical Vulnerabilities in Microsoft Azure PostgreSQL

2 points

4 years ago

Security researchers at Wiz discovered critical vulnerabilities in Azure Database for PostgreSQL Flexible Server (Dubbed ExtraReplica). These vulnerabilities allowed unauthorized read access to other customers’ PostgreSQL database.

From Microsoft's advisory: "All Flexible Server Postgres servers deployed using the public access networking option were impacted with this security vulnerability. Customers using the private access networking option were not exposed to this vulnerability. The Single Server offering of Postgres was not impacted. Our analysis revealed no customer data was accessed using this vulnerability. Azure updated all Flexible Servers to fix this vulnerability. No action is required by customers. In order to further minimize exposure, we recommend that customers enable private network access when setting up their Flexible Server instances."

Research group blogpost: https://www.wiz.io/blog/wiz-research-discovers-extrareplica-cross-account-database-vulnerability-in-azure-postgresql/

Microsoft's advisory: https://msrc-blog.microsoft.com/2022/04/28/azure-database-for-postgresql-flexible-server-privilege-escalation-and-remote-code-execution