Summary
ApsaraDB and AnalyticDB contained several vulnerabilities in their PostgreSQL offerings
which ultimately allowed unauthorized access to other tenants' databases and the ability
to perform a supply-chain attack on both services, which in turn would have allowed remote
code execution (RCE) as well. Both services implemented multi-tenancy through a shared K8s
cluster, but contained several bugs related to tenant isolation which an attacker could
chain together to achieve the above impact. In ApsaraDB, these included privilege escalation
to root in a container, a shared PID namespace enabling container escape, and write permissions
granted to K8s nodes for a private container image registry utilized by both services.
In AnalyticDB, the bugs included file disclosure, command line injection in a privileged
container, and susceptibility to the core_pattern container escape technique.
Affected Services
ApsaraDB RDS for PostgreSQL, AnalyticDB for PostgreSQL
Remediation
None required
Tracked CVEs
No tracked CVEs
References
Contributed by https://github.com/korniko98
Entry Status
Finalized
Disclosure Date
Sun, Dec 4th, 2022
Exploitablity Period
-
Known ITW Exploitation
-
Detection Methods
-
Piercing Index Rating
-
Discovered by
Ronen Shustin, Shir Tamari, Wiz
