CVE-2023-5870 Overview
A denial of service vulnerability exists in PostgreSQL involving the pg_cancel_backend role that allows signaling of background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. This flaw enables a remote high-privileged user to disrupt specific background worker processes under certain conditions.
Critical Impact
High-privileged attackers can terminate PostgreSQL background workers through the pg_cancel_backend role, potentially disrupting database maintenance operations and replication processes when non-core extensions with less-resilient background workers are in use.
Affected Products
- PostgreSQL (versions prior to 16.1, 15.5, 14.10, 13.13, 12.17, and 11.22)
- Red Hat Enterprise Linux 8.x and 9.x
- Red Hat CodeReady Linux Builder EUS
- Red Hat Software Collections
Discovery Timeline
- December 10, 2023 - CVE-2023-5870 published to NVD
- November 4, 2025 - Last updated in NVD database
Technical Details for CVE-2023-5870
Vulnerability Analysis
This vulnerability resides in PostgreSQL's privilege model for the pg_cancel_backend role. The flaw allows users with this role to send signals to background workers that should typically be protected from such operations. The vulnerability specifically affects the logical replication launcher, autovacuum workers, and the autovacuum launcher processes.
Successful exploitation requires specific preconditions: the target PostgreSQL instance must have a non-core extension installed that implements a less-resilient background worker. The impact is limited to that specific background worker, not the entire database system. This makes exploitation highly contextual and dependent on the target environment's configuration.
The vulnerability is classified under CWE-400 (Uncontrolled Resource Consumption), as the ability to terminate background workers can lead to resource management issues and service disruption.
Root Cause
The root cause lies in insufficient access controls within the pg_cancel_backend function. This function was designed to allow privileged users to cancel query backends, but the implementation did not adequately restrict its ability to signal certain critical background worker processes. When combined with non-core extensions that implement background workers without proper resilience mechanisms, this creates an exploitable condition.
Attack Vector
The attack requires network access and high privileges within the PostgreSQL database. An attacker must possess the pg_cancel_backend role to execute this attack. The exploitation path involves:
- Attacker authenticates to the PostgreSQL instance with a role that has pg_cancel_backend privileges
- Attacker identifies background workers associated with non-core extensions
- Attacker uses the pg_cancel_backend function to signal these workers
- Background workers without proper resilience mechanisms terminate unexpectedly
The attack does not require user interaction and affects system availability by disrupting background maintenance processes.
Detection Methods for CVE-2023-5870
Indicators of Compromise
- Unexpected termination of PostgreSQL background worker processes
- Repeated restarts of autovacuum or logical replication launcher processes in PostgreSQL logs
- Anomalous pg_cancel_backend function calls from non-administrative sessions
- Database maintenance operations failing or not completing as expected
Detection Strategies
- Monitor PostgreSQL logs for frequent background worker termination events
- Audit usage of the pg_cancel_backend function and correlate with user sessions
- Implement alerts for unusual patterns in autovacuum and replication launcher activity
- Review granted roles to identify accounts with pg_cancel_backend privileges
Monitoring Recommendations
- Enable detailed logging for PostgreSQL administrative functions including pg_cancel_backend
- Configure log aggregation to detect patterns of background worker process terminations
- Monitor process lists for PostgreSQL background workers and alert on unexpected exits
- Track role membership changes, particularly for pg_cancel_backend and pg_signal_backend roles
How to Mitigate CVE-2023-5870
Immediate Actions Required
- Update PostgreSQL to patched versions: 16.1, 15.5, 14.10, 13.13, 12.17, or 11.22
- Audit and restrict assignment of the pg_cancel_backend role to only essential users
- Review installed extensions for non-core background workers and assess their resilience
- Apply vendor-specific patches from Red Hat or other distribution providers
Patch Information
PostgreSQL has released security updates addressing this vulnerability. Patched versions include PostgreSQL 16.1, 15.5, 14.10, 13.13, 12.17, and 11.22. Organizations should update to these versions or later. Detailed patch information is available in the PostgreSQL Security Advisory for CVE-2023-5870.
Red Hat has released multiple security advisories addressing this vulnerability across their product portfolio. See Red Hat Security Advisory RHSA-2023:7545 and related advisories for RHEL-specific updates.
Workarounds
- Revoke pg_cancel_backend role from non-essential database users as an interim measure
- Remove or disable non-critical extensions that implement background workers until patching is complete
- Implement network segmentation to limit database access to trusted administrative hosts only
- Configure connection limits and authentication restrictions for privileged database roles
# Revoke pg_cancel_backend role from non-essential users
psql -c "REVOKE pg_cancel_backend FROM non_essential_user;"
# List users with pg_cancel_backend role for auditing
psql -c "SELECT rolname FROM pg_roles WHERE pg_has_role(rolname, 'pg_cancel_backend', 'member');"
# Check PostgreSQL version to verify patch status
psql -c "SELECT version();"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
