Last week, the PostgreSQL Project advised its users of an upcoming security patch for a critical security vulnerability in their database server software. All currently supported versions are affected and the patch will be released on Thursday, April 4th. To our knowledge this is the first time that an Open Source project has pre announced a vulnerability and upcoming patch. We expect the release to fix a Remote Code Execution vulnerability in this popular database engine and recommend all PostgreSQL users to upgrade to a secure version as soon as possible, especially if your database server is connected directly to the Internet. The Shodan search engine currently lists over 30,000 systems that have an accessible PostgreSQL server on the Internet.
Underscoring the severity of the vulnerability is an announcement by Heroku, a popular cloud application platform, that has started forcibly upgrading all of customers’ PostgreSQL installations with the patch.
We will update this post as soon as more information becomes available.