oss-sec mailing list archives
CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging
From: Jan Lehnardt <jan () apache org>
Date: Tue, 26 Apr 2022 08:44:41 +0000
Severity: critical Description: An attacker can access an improperly secured default installation without authenticating and gain admin privileges. 1. CouchDB opens a random network port, bound to all available interfaces in anticipation of clustered operation and/or runtime introspection. A utility process called `epmd` advertises that random port to the network. `epmd` itself listens on a fixed port. 2. CouchDB packaging previously chose a default `cookie` value for single-node as well as clustered installations. That cookie authenticates any communication between Erlang nodes. The CouchDB documentation[1] has always made recommendations for properly securing an installation, but not all users follow the advice. We recommend a firewall in front of all CouchDB installations. The full CouchDB api is available on registered port `5984` and this is the only port that needs to be exposed for a single-node install. Installations that do not expose the separate distribution port to external access are not vulnerable. [1]: https://docs.couchdb.org/en/stable/setup/cluster.html Mitigation: CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of `monster`. Installations that upgrade to this versions are forced to choose a different value. In addition, all binary packages have been updated to bind `epmd` as well as the CouchDB distribution port to `127.0.0.1` and/or `::1` respectively. Credit: The Apache CouchDB Team would like to thank Alex Vandiver <alexmv () zulip com> for the report of this issue. References: https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00
Current thread:
- CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in Packaging Jan Lehnardt (Apr 26)