edit-icon download-icon

[Vulnerability notice] Unauthorized access vulnerability in CouchDB

Last Updated: May 07, 2018

Description

The CouchDB database service has an unauthorized access vulnerability because of improper configurations, that can be exploited by attackers.

  • Attackers can access internal data in CouchDB without authentication. It can leak sensitive information. Additionally, the attackers can also maliciously delete data in CouchDB.
  • Attackers can configure a user-defined function to run a system command directly.

Affected versions

CouchDB servers that are open to the Internet and have not enabled authentication for access.

Fix

1. Prohibit the CouchDB service from being accessed from the extranet

Locate bind_address = 0.0.0.0 in the /etc/couchdb/local.ini configuration file, change 0.0.0.0 to 127.0.0.1, and then save the changes.

Note:

  • The configuration takes effect after the CouchDB service is restarted.
  • Once the configuration takes effect, only the local machine can access the CouchDB service.

2. Set a password for the CouchDB account

Locate the [admins] field in the /etc/couchdb/local.ini configuration file, enter the desired password after the [admins] field, and then save the changes.

Note:

  • The configuration takes effect after the CouchDB service is restarted.
  • Once the configuration takes effect, the CouchDB client also requires this password to access the CouchDB service.

3. Change the CouchDB service running accounts

Run the CouchDB service with an account that has lower permissions and disable the system logon permission for this account.

With this method, you can limit the ability of attackers to run high-risk commands, but CouchDB data remains accessible to hackers and still can be maliciously deleted by hackers.

Note: The configuration takes effect after the CouchDB service is restarted.

4. Set the firewall policy

If the CouchDB service requires to be accessed by another server, allow only specified IP addresses to access the CouchDB service by setting iptables policies.

Thank you! We've received your feedback.