'[oss-security] CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging
From:       Jan Lehnardt <jan () apache ! org>
Date:       2022-04-26 8:44:41
Message-ID: a388a13c-2f49-a36d-668a-633583013717 () apache ! org
[Download RAW message or body]

Severity: critical

Description:

An attacker can access an improperly secured default installation without
authenticating and gain admin privileges.

1. CouchDB opens a random network port, bound to all available interfaces
   in anticipation of clustered operation and/or runtime introspection. A
   utility process called `epmd` advertises that random port to the network=
.
   `epmd` itself listens on a fixed port.
2. CouchDB packaging previously chose a default `cookie` value for =
single-node
   as well as clustered installations. That cookie authenticates any
   communication between Erlang nodes.

The CouchDB documentation[1] has always made recommendations for properly
securing an installation, but not all users follow the advice.

We recommend a firewall in front of all CouchDB installations. The full
CouchDB api is available on registered port `5984` and this is the only
port that needs to be exposed for a single-node install. Installations
that do not expose the separate distribution port to external access are
not vulnerable.

[1]: https://docs.couchdb.org/en/stable/setup/cluster.html



Mitigation:

CouchDB 3.2.2 and onwards will refuse to start with the former default
Erlang cookie value of `monster`. Installations that upgrade to this
versions are forced to choose a different value.

In addition, all binary packages have been updated to bind `epmd` as
well as the CouchDB distribution port to `127.0.0.1` and/or `::1`
respectively.

Credit:

The Apache CouchDB Team would like to thank Alex Vandiver <alexmv@zulip.=
com> for the report of this issue.

References:

https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic