that Amazon Web Services has issued updates to resolve an Amazon Relational Database Service vulnerability, which could be exploited to allow internal credential leaks.
The Amazon RDS flaw was discovered by Lightspin researcher Gafnit Amiga within the Aurora PostgreSQL engine's "log_fdw" extension, which enables SQL interface usage for database engine log access and foreign table creation. Threat actors could leverage the flaw to evade log_fdw extension validation to access files with internal credentials and other system files, according to Amiga, who reported the flaw last December. However, AWS stressed that the credentials exposed could not be leveraged to impact other customers or clusters. "No cross-customer or cross-cluster access was possible; however, highly privileged local database users who could exercise this issue could potentially have gained additional access to data hosted in their cluster or read files within the operating system of the underlying host running their database," said AWS.