Security News > 2023 > April > Two Critical Flaws Found in Alibaba Cloud's PostgreSQL Databases

A chain of two critical flaws has been disclosed in Alibaba Cloud's ApsaraDB RDS for PostgreSQL and AnalyticDB for PostgreSQL that could be exploited to breach tenant isolation protections and access sensitive data belonging to other customers.

"The vulnerabilities potentially allowed unauthorized access to Alibaba Cloud customers' PostgreSQL databases and the ability to perform a supply chain attack on both Alibaba database services, leading to an RCE on Alibaba database services," cloud security firm Wiz said in a new report shared with The Hacker News.

The issues, dubbed BrokenSesame, were reported to Alibaba Cloud in December 2022, following mitigations were deployed by the company on April 12, 2023.

Armed with this capability, an attacker could retrieve credentials associated with the container registry from the API server and push a malicious image to gain control of customer databases belonging to other tenants on the shared node.

This is not the first time PostgreSQL vulnerabilities have been identified in cloud services.

The findings come as Palo Alto Networks Unit 42, in its Cloud Threat Report, revealed that "Threat actors have become adept at exploiting common, everyday issues in the cloud," including misconfigurations, weak credentials, lack of authentication, unpatched vulnerabilities and malicious open source software packages.

News URL

https://thehackernews.com/2023/04/two-critical-flaws-found-in-alibaba.html