Courtesy Notification: CVE-2020-21469 PostgreSQL 12.2 Security Vulnerability

This is a courtesy notification to our clients and community regarding an alleged security issue for PostgreSQL 12.2.

The following issue was reported as CVE-2020-21469:

An issue discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals.

This is not a security vulnerability, and was filed without prior knowledge of or consultation with the PostgreSQL Security Team as reported in this news release.

To cause a denial-of-service issue in an PostgreSQL 12.2 instance, an account would require explicitly granted elevated privileges, including:

  • A PostgreSQL superuser (postgres)
  • A user that was granted permission to execute pg_reload_conf by a PostgreSQL superuser
  • Access to a privileged operating system user

Following best practices for user privileges and information security will prevent this occurrence. To learn more about known PostgreSQL security vulnerabilities and the related patches for all versions, visit this page.

As always, we recommend that you upgrade to the most recent supported minor release because of other security and bug fixes.

If you are running version 10 or less of PostgreSQL, note that it is End-of-Life (EOL) and we recommend that you upgrade to a supported version. If you need help maintaining an EOL version, reach out to us for extended support. Find out more here or contact us today!