Initial Publication Date: 2022/04/11 16:45 PST
Last Updated Date: 2022/04/12 13:00 PST

A security researcher recently reported an issue with Aurora PostgreSQL. Using this issue, they were able to gain access to internal credentials that were specific to their Aurora cluster. No cross-customer or cross-cluster access was possible; however, highly privileged local database users who could exercise this issue could potentially have gained additional access to data hosted in their cluster or read files within the operating system of the underlying host running their database.

This issue was associated with a third-party open-source PostgreSQL extension, “log_fdw”, which is pre-installed in both Amazon Aurora PostgreSQL and Amazon RDS for PostgreSQL. The issue permitted the researcher to examine the contents of local system files of the database instance within their account, including a file which contained credentials specific to Aurora. Privileged, authenticated database users with sufficient permissions to trigger this issue could use these credentials to gain elevated access to their own database resources from which the credentials were retrieved. They would not be able to use the credentials to access internal RDS services or move between databases or AWS accounts. The credentials could only be used to access resources associated with the Aurora database cluster from which the credentials were retrieved.

AWS moved immediately to address this issue when it was reported. As part of our mitigation, we have updated Amazon Aurora PostgreSQL and Amazon RDS for PostgreSQL to prevent this issue. We have also deprecated the Amazon Aurora PostgreSQL and Amazon RDS for PostgreSQL minor versions listed below. As such, customers can no longer create new instances with these versions.

The following Amazon Aurora PostgreSQL and Amazon RDS for PostgreSQL minor versions have been deprecated:

Amazon Aurora PostgreSQL-compatible edition versions:

  • 10.11, 10.12, 10.13
  • 11.6, 11.7, 11.8

Amazon RDS for PostgreSQL versions:

  • 13.2, 13.1
  • 12.6, 12.5, 12.4, 12.3, 12.2
  • 11.11, 11.10, 11.9, 11.8, 11.7, 11.6, 11.5, 11.5, 11.4, 11.3, 11.2, 11.1
  • 10.16, 10.15, 10.14, 10.13, 10.12, 10.11, 10.10, 10.9, 10.7, 10.6, 10.5, 10.4, 10.3, 10.1
  • 9.6.21, 9.6.20, 9.6.19, 9.6.18, 9.6.17, 9.6.16, 9.6.15, 9.6.14, 9.6.12, 9.6.11, 9.6.10, 9.6.9, 9.6.8, 9.6.6, 9.6.5, 9.6.3, 9.6.2, 9.6.1
  • 9.5, 9.4 and 9.3

For detailed release notes about minor versions, including existing supported versions, visit
Aurora PostgreSQL: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Updates.20180305.html
RDS PostgreSQL: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_PostgreSQL.html

We would like to thank Lightspin for reporting this issue.

Security-related questions or concerns can be brought to our attention via aws-security@amazon.com.