On Tue, 10 Jan 2023 at 17:54, Jeffrey Walton <noloader@gmail.com> wrote: > > On Tue, Jan 10, 2023 at 9:46 AM Magnus Hagander <magnus@hagander.net> wrote: > > > > On Tue, Jan 10, 2023, 15:42 Jeffrey Walton <noloader@gmail.com> wrote: > >> > >> https://www.bleepingcomputer.com/news/security/microsoft-kubernetes-clusters-hacked-in-malware-campaign-via-postgresql/ > > > > I think the most impressive part in that article is that they found and linked to the postgresql 7 documentation... > > It looks like the article used an older version of the docs because > the link is broken for the newer version. When following the link to > the latest version of the docs, its results in a "Page not found".
The page simply doesn't exist, because the information is sperad out across multiple places. There is indeed a bug in that a link is generated to /current/ even if that page does not exist. But the information that's on there is also wildly out of date. This page was removed from the documentation in 2001, over 20 years ago. Linking to such obsolete pages in an article from 2023 doesn't exactly inspire confidence.
I wonder what was the vulnerability in Postgres that enabled "hackers" to run malware? I've read the article and the linked ones and found no causative link between Postgres and malware inside. Sorry, it seems like baseless warnings, not a description of vulnerability. Maybe I haven't got something?
There is no vulnerability in postgres. They are exploiting incorrectly *configured* postgres instances that allow unauthenticated users to log in as superuser, which by definition means the system is configured to allow arbitrary users to upload and run arbitrary code -- which they did. Similar to leaving the ssh port open to the world for a user with a default name and no password.