On 4/2/19 05:35, Brad Nicholson wrote: > A blog post would be nice, but it seems to me have something about this > clearly in the manual would be best, assuming it's not there already. I > took a quick look, and couldn't find anything. For the record, I don't see any warnings at all in the Oracle docs about this. Maybe I'm remembering wrong, but I think it's exactly the same situation there - anyone with full administrative privileges can use DBMS_SCHEDULER to run OS executables. And I don't think there's a way to configure Oracle to disable this for people logging in over the network with administrative privileges. https://docs.oracle.com/en/database/oracle/oracle-database/19/arpls/DBMS_SCHEDULER.html#GUID-F41A5779-1915-4D5D-A7F5-87727320B742 I'm all for having clear documentation about the security model in PostgreSQL, but I personally wouldn't be in favor of adding extra wording to the docs just to pacify concerns about a CVE which may have been erroneously granted by an assigning authority, who possibly should have done better due diligence reviewing the content. Particularly if there's any possibility that the decision to assign the number can be appealed/changed, though admittedly I know very little about the CVE process. Or if this is a legitimate CVE, and if I'm remembering correctly about Oracle, then maybe the CVE needs to be expanded to cover that database too? -Jeremy -- Jeremy Schneider Database Engineer Amazon Web Services
