[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging
From: Jan Lehnardt <jan () apache ! org>
Date: 2022-04-26 8:44:41
Message-ID: a388a13c-2f49-a36d-668a-633583013717 () apache ! org
[Download RAW message or body]
Severity: critical
Description:
An attacker can access an improperly secured default installation without
authenticating and gain admin privileges.
1. CouchDB opens a random network port, bound to all available interfaces
in anticipation of clustered operation and/or runtime introspection. A
utility process called `epmd` advertises that random port to the network=
.
`epmd` itself listens on a fixed port.
2. CouchDB packaging previously chose a default `cookie` value for =
single-node
as well as clustered installations. That cookie authenticates any
communication between Erlang nodes.
The CouchDB documentation[1] has always made recommendations for properly
securing an installation, but not all users follow the advice.
We recommend a firewall in front of all CouchDB installations. The full
CouchDB api is available on registered port `5984` and this is the only
port that needs to be exposed for a single-node install. Installations
that do not expose the separate distribution port to external access are
not vulnerable.
[1]: https://docs.couchdb.org/en/stable/setup/cluster.html
Mitigation:
CouchDB 3.2.2 and onwards will refuse to start with the former default
Erlang cookie value of `monster`. Installations that upgrade to this
versions are forced to choose a different value.
In addition, all binary packages have been updated to bind `epmd` as
well as the CouchDB distribution port to `127.0.0.1` and/or `::1`
respectively.
Credit:
The Apache CouchDB Team would like to thank Alex Vandiver <alexmv@zulip.=
com> for the report of this issue.
References:
https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic