“PostgreSQL COPY FROM PROGRAM” is not a Vulnerability

Marc Linster December 21, 2020

“PostgreSQL COPY FROM PROGRAM” is not a vulnerability

Last week, Computer Weekly reported on a CVE in Postgres that was exploited by PGMiner, a botnet used to generate crypto currency. CVE-2019-9193 refers to the ability to work with local files on the database server and execute operating system level commands using all the privileges of the database server operating system account.

This CVE had been previously reported in 2019, and the Postgres community has disputed that this is a vulnerability. Several reputed Postgres community members have reviewed the purported vulnerability in detail. See for example Magnus Hagander’s blog dated Apr 2, 2019 and Robert Haas’ more detailed analysis dated Dec 15, 2020.

Their analyses show that while the capability to execute code at the local database server exists in PostgreSQL, this ability is not enabled by default for non-superuser accounts — it has to be enabled explicitly. Assigning the privilege pg_execute_server_program to non-superuser accounts is a violation of accepted practice. The situation described by Computer Weekly requires both of these configuration changes in order to enable remote code execution.

EDB agrees with the PostgreSQL community that this is not a CVE, and that unless the database server is explicitly configured to enable this feature, PostgreSQL cannot be exploited in the way described in the Computer Weekly article.

Any EDB customer concerned about this issue or any other PostgreSQL security questions should contact EDB Technical Support or their account representative immediately. If needed, EDB can provide a top-to-bottom security review to validate the security of the PostgreSQL configuration.

Marc LinsterChief Technology Officer

Marc Linster, Ph.D., is EDB’s Chief Technology Officer and leads EDB’s engineering divisions and product development groups. Marc is committed to EDB being an accelerator to providing architectural “know how” to help customers take advantage of Postgres without significant risk and cost. Marc believes that although new customer adoption of open source is easier than the experience of purchasing proprietary options, tools are still incredibly important, and EDB’s professional services practices provides them. Marc has an extensive background in engineering, technology and logistics with 20 years of management experience. Before joining EDB, Marc spent four years at Polycom, the leading maker of video communications equipment, where most recently he was a Senior Director, Engineering for Cloud and Hosted Solutions. Before Polycom, Marc was Co-founder and President of TriPoint Interactive, a global supply chain consulting and systems integration company. He spent six years at Avicon Group, first as CTO and then as Vice President of Operations. Marc is an avid equestrian. Marc holds a Ph.D. (Dr. rer. nat) in Computer Sciences from the University of Kaiserslautern in Germany.