edit-icon download-icon

[Vulnerability notice] CVE-2017-12635/12636: Remote command execution vulnerabilities in Apache CouchDB

Last Updated: Apr 08, 2018

On November 7, 2017, the new versions 2.1.1 and 1.7.0 or 1.7.1 of Apache CouchDB were released. The new versions fix two high-severity remote command execution vulnerabilities, CVE-2017-12635 and CVE-2017-12636.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-12635/12636

Vulnerability name

Remote command execution vulnerabilities in Apache CouchDB

Vulnerability rating

High

Vulnerability description

  • CVE-2017-12635

    CouchDB uses the Erlang-based JSON parser, which is different from the JavaScript-based JSON parser. CouchDB allows users to submit the _users document containing role duplicate keys (even including the _admin role) to a database to achieve access control. By exploiting this feature together with CVE-2017-12636 (remote code execution vulnerability), non-administrator users can access arbitrary shell commands on the server as database system users.

    The discrepancy between the JSON parsers has the following impact: if two role keys are available in JSON, the first role key is used for subsequent authorization of newly created users, and the second role key is used for authorization document writing. According to the design, users cannot assign roles to themselves. This vulnerability allows non-administrator users to gain administration privileges.

  • CVE-2017-12636

    A CouchDB administrator can configure the database server using HTTP(S). The configuration options that can be enabled include the path of the operating system-level binary file. This allows the CouchDB administrator to run arbitrary shell commands as a CouchDB user, including downloading scripts from the Internet and running scripts.

Condition and method of exploitation

Remote exploitation

PoC status

Unpublished

Affected scope

CouchDB 1.x and 2.x

Unaffected versions: 2.1.1, 1.7.0/1 or later versions

Vulnerability detection

Check whether any affected version of Apache CouchDB is used and whether a strong password and network access control policy are configured.

How to fix or mitigate

  • Internet Apache CouchDB instance

    • We recommend that you upgrade Apache CouchDB to the latest version.
    • Use the ECS security group or firewall policy, disable the exposure of CouchDB ports to the Internet, and configure refined network access control.
    • Enable the authentication feature. Do not use the default account and password. Create a custom account and configure a strong password to prevent brute-force cracking attacks.
  • Intranet Apache CouchDB instance

    • Use the ECS security group or firewall policy, disable the exposure of CouchDB ports to the Internet, and configure refined network access control.
    • Enable the authentication feature. Do not use the default account and password. Create a custom account and configure a strong password to prevent brute-force cracking attacks.

Reference

[1]. https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636
[2]. http://seclists.org/oss-sec/2017/q4/279

Thank you! We've received your feedback.