“PostgreSQL COPY FROM PROGRAM” is not a Vulnerability

December 21, 2020

Last week, Computer Weekly reported on a CVE in Postgres that was exploited by PGMiner, a botnet used to generate crypto currency. CVE-2019-9193 refers to the ability to work with local files on the database server and execute operating system level commands using all the privileges of the database server operating system account.

This CVE had been previously reported in 2019, and the Postgres community has disputed that this is a vulnerability. Several reputed Postgres community members have reviewed the purported vulnerability in detail. See for example Magnus Hagander’s blog dated Apr 2, 2019 and Robert Haas’ more detailed analysis dated Dec 15, 2020.

Their analyses show that while the capability to execute code at the local database server exists in PostgreSQL, this ability is not enabled by default for non-superuser accounts — it has to be enabled explicitly. Assigning the privilege pg_execute_server_program to non-superuser accounts is a violation of accepted practice. The situation described by Computer Weekly requires both of these configuration changes in order to enable remote code execution.

EDB agrees with the PostgreSQL community that this is not a CVE, and that unless the database server is explicitly configured to enable this feature, PostgreSQL cannot be exploited in the way described in the Computer Weekly article.

Any EDB customer concerned about this issue or any other PostgreSQL security questions should contact EDB Technical Support or their account representative immediately. If needed, EDB can provide a top-to-bottom security review to validate the security of the PostgreSQL configuration.

Share this