Skip to content
Announcing BigAnimal: Fully managed PostgreSQL in the Cloud
Get startedContact usCareersDocsPlans

“PostgreSQL COPY FROM PROGRAM” is not a Vulnerability

Marc Linster12/21/2020
PostgreSQL

Last week, Computer Weekly reported on a CVE in Postgres that was exploited by PGMiner, a botnet used to generate crypto currency. CVE-2019-9193 refers to the ability to work with local files on the database server and execute operating system level commands using all the privileges of the database server operating system account.

This CVE had been previously reported in 2019, and the Postgres community has disputed that this is a vulnerability. Several reputed Postgres community members have reviewed the purported vulnerability in detail. See for example Magnus Hagander’s blog dated Apr 2, 2019 and Robert Haas’ more detailed analysis dated Dec 15, 2020.

Their analyses show that while the capability to execute code at the local database server exists in PostgreSQL, this ability is not enabled by default for non-superuser accounts — it has to be enabled explicitly. Assigning the privilege pg_execute_server_program to non-superuser accounts is a violation of accepted practice. The situation described by Computer Weekly requires both of these configuration changes in order to enable remote code execution.

EDB agrees with the PostgreSQL community that this is not a CVE, and that unless the database server is explicitly configured to enable this feature, PostgreSQL cannot be exploited in the way described in the Computer Weekly article.

Any EDB customer concerned about this issue or any other PostgreSQL security questions should contact EDB Technical Support or their account representative immediately. If needed, EDB can provide a top-to-bottom security review to validate the security of the PostgreSQL configuration.

Marc Linster, Ph.D., is EDB’s Chief Technology Officer. Marc is committed to EDB being an accelerator to providing architectural “know how” to help customers take advantage of Postgres without significant risk and cost. Marc believes that although new customer adoption of open source is easier than ...