'[oss-security] Apache CouchDB CVE-2018-17188: Remote Privilege Escalations (Affects all versions < 2'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] Apache CouchDB CVE-2018-17188: Remote Privilege Escalations (Affects all versions < 2
From:       Jan Lehnardt <jan () apache ! org>
Date:       2018-12-17 10:43:55
Message-ID: 8A4D6092-8350-438C-B09E-B569A2EB233A () apache ! org
[Download RAW message or body]


#Apache CouchDB CVE-2018-17188: Remote Privilege Escalations (Affects all versions < 2.3.0)

Date:	17.12.2018
Affected:	All Versions of Apache CouchDB
Severity:	Medium
Vendor:	The Apache Software Foundation

## Description

Prior to CouchDB version 2.3.0, CouchDB allowed for runtime-configuration of key components of \
the database. In some cases, this lead to vulnerabilities where CouchDB admin users could \
access the underlying operating system as the CouchDB user. Together with other \
vulnerabilities, it allowed full system entry for unauthenticated users.

These vulnerabilities were fixed and disclosed in the following CVE reports:

	• CVE-2018-11769: Apache CouchDB Remote Code Execution[1]
	• CVE-2018-8007: Apache CouchDB Remote Code Execution[2]
	• CVE-2017-12636: Apache CouchDB Remote Code Execution[3]
	• CVE-2017-12635: Apache CouchDB Remote Privilege Escalation[4]

Rather than waiting for new vulnerabilities to be discovered, and fixing them as they come up, \
the CouchDB development team decided to make changes to avoid this entire class of \
vulnerabilities.

With CouchDB version 2.3.0, CouchDB no longer can configure key components at runtime. While \
some flexibility is needed for speciality configurations of CouchDB, the configuration was \
changed from being available at runtime to start-up time. And as such now requires shell access \
to the CouchDB server.

This closes all future paths for vulnerabilities of this type.

## Mitigation

All users should upgrade to CouchDB 2.3.0.

Upgrades from previous 2.x versions in the same series should be seamless.

Users on earlier versions should consult with upgrade notes.

## Credit

This issue was discovered by the Apple Information Security team.

—
[1]: http://docs.couchdb.org/en/stable/cve/2017-12635.html \
<http://docs.couchdb.org/en/stable/cve/2017-12635.html> [2]: \
http://docs.couchdb.org/en/stable/cve/2017-12636.html \
<http://docs.couchdb.org/en/stable/cve/2017-12636.html> [3]: \
http://docs.couchdb.org/en/stable/cve/2018-11769.html \
<http://docs.couchdb.org/en/stable/cve/2018-11769.html> [3]: \
http://docs.couchdb.org/en/stable/cve/2018-8007.html \
<http://docs.couchdb.org/en/stable/cve/2018-8007.html>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic