Microsoft fixes Azure PostgreSQL cross-account database access bug

By on
Microsoft fixes Azure PostgreSQL cross-account database access bug

"ExtraReplica" tenant bypass not exploited.

Microsoft has addressed a privilege escalation and remote code execution problem affecting its Azure Database for PostgreSQL Flexible Server that potentially could have led to unauthorised database access.

Dubbed "ExtraReplica" by security vendor Wiz which found the issue, a set of vulnerabilities meant attackers could have replicated and gained read access to other customers' databases.

An attacker could exploit an elevated permissions bug in the Flexible Server authentication process to leverage an improperly anchored regular expression to bypass authentication, Microsoft said.

No customer data was accessed via the "ExtraReplica" vulnerabilities, which affected all PostgreSQL Flexible Servers deployed with the public access networking option set.

Instances deployed with the private access networking option, and Single Server PostgreSQL databases, were not affected by the vulnerabilities.

No action is required by customers, as Microsoft said it addressed the issues in January and February this year.

Wiz noted that the PostgreSQL Flexible Server is missing public tenant isolation documentation, which makes it difficult for customers to evaluate risk during service onboarding.

This issue isn't unique to Azure, and Wiz said cloud providers need to be more transparent about their isolation architecture, especially for sensitive services such as databases.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?