Security News > 2022 > April > Microsoft fixes ExtraReplica Azure bugs that exposed user databases
Microsoft has addressed a chain of critical vulnerabilities found in the Azure Database for PostgreSQL Flexible Server that could let malicious users escalate privileges and gain access to other customers' databases after bypassing authentication.
"By exploiting an elevated permissions bug in the Flexible Server authentication process for a replication user, a malicious user could leverage an improperly anchored regular expression to bypass authentication to gain access to other customers' databases," the Microsoft Security Response Center team explained today.
Microsoft deployed fixes to all Flexible Servers by February 25, 2022, to address a remote code execution flaw in the Flexible Server PostgreSQL service and a privilege escalation bug.
Microsoft says that none of its Azure customers using the impacted Flexible Servers before the fix rolled out were affected in any way, and no customer data was accessed without authorization by exploiting the ExtraReplica vulnerability chain.
Microsoft recommends deploying PostgreSQL flexible servers on Azure virtual networks, which provide private and secure network communication.
The researchers have also found several other security flaws in Microsoft Azure products, including Azure Cosmos DB, the Open Management Infrastructure software agent, and the Azure App Service.