Heroku Forces Customer Upgrade To Fix Critical PostgreSQL Security Hole

Heroku customers are getting first access to a critical update to the PostgreSQL database system that will patch a major security hole. The overall PostgreSQL community will get access to an update on Thursday.

Here’s the statement from Heroku:

Heroku Postgres databases will be undergoing a brief but important update between today Monday (April 1st) and Wednesday (April 3rd). During the update, your database will be offline for roughly sixty seconds, and will then be restarted. Due to the nature of this update, a scheduled time is not possible. Individual notifications will not be sent for databases that require maintenance.

Last Thursday, the PostgreSQL site issued a statement saying it would be issuing the update on April 4 to include a fix for a high-exposure security vulnerability. They strongly urged customers to apply the update as soon as it is available.

No word back yet, but I’ve asked Heroku’s public relations team for comment about why they are making the forced update and the reason they are getting first access.

Hacker news commenters are saying the early access may be due to the sheer number of Heroku customers using the PostgreSQL database.

The privilege also raises questions about PostgreSQL policy toward security and who gets early access and who does not.

One Hacker News commenter said:

Meanwhile they are holding back a security fix for numerous other companies that also take security extremely seriously. This creates a situation where companies considering posgresql will now have to ask “will I get security fixes as soon as they are ready or will I intentionally be left vulnerable while more privileged users get early access?”┬áNot a good precedent as far as I’m concerned.

It’s an unusual move by Heroku and a striking example of how cloud security is a major issue. Companies like Heroku rarely issue these forced updates. Most often they are for major updates to the platform. But a security vulnerability such as this could have consequences to the entire platform.