How risky is running the pre-installed Postgresql without updates really?

[mkretzer]

Hello,

i am a big fan of updating everything that can pose a security risk and i have seen a lot of Veeam users unhappy with the decision to pre-install Postgresql. I just wonder: Is there a realistic attack scenario where the Postgresql server causes a security risk?

When the Veeam system is non Domain-Joined, Postgresql only listens on localhost (from what i see this is the default setting) and Veeam is on a dedicated server i currently do not see any way to attack that component - or do i miss something?

Markus

[tgx]

According to Veeam:

"Note: This vulnerability only impacts domain-joined backup servers."

source: https://www.veeam.com/kb4724

[Gostev]

I just wonder: Is there a realistic attack scenario where the Postgresql server causes a security risk?

When the Veeam system is non Domain-Joined, Postgresql only listens on localhost (from what i see this is the default setting) and Veeam is on a dedicated server i currently do not see any way to attack that component - or do i miss something?

Hi, Markus. I believe your thinking is correct. @dzyuzin what is your opinion?

[dzyuzin]

Can't give generic answer -- that depends on the vulnerability. I would say no latest PostgreSQL CVEs (2024 and 2025) can be exploited in our usage scenario indeed. But if new CVE will allow some sophisticated RCE that doesn't require network interaction, or that can be exploited to elevate privileges -- we can't be so sure, and customers should always strive to use the latest versions of OS/DB and other software installed on critical infrastructure.

[garypigott]

Even if there's no specific risk, having a CVSS 9.9 vulnerability against an entry in your software catalog triggers an immediate response in a lot of organisations. It just looks bad to leave it there for any length of time. We patched it anyway, same day. I work for an MSP where being down for an hour while we patch everything can be explained. Getting rooted and having all our client's data exposed on the other hand is a company ending event.

[Gostev]

You're probably talking about something different that what this topic is about (last Veeam vulnerability vs. recent PostgreSQL vulnerabilities over the last couple of years).