On November 7, 2017, the new versions 2.1.1 and 1.7.0 or 1.7.1 of Apache CouchDB were released. The new versions fix two high-severity remote command execution vulnerabilities, CVE-2017-12635 and CVE-2017-12636.
See the following for more information about the vulnerability.
CVE identifier
CVE-2017-12635/12636
Vulnerability name
Remote command execution vulnerabilities in Apache CouchDB
Vulnerability rating
High
Vulnerability description
CVE-2017-12635
CouchDB uses the Erlang-based JSON parser, which is different from the JavaScript-based JSON parser. CouchDB allows users to submit the _users document containing role duplicate keys (even including the _admin role) to a database to achieve access control. By exploiting this feature together with CVE-2017-12636 (remote code execution vulnerability), non-administrator users can access arbitrary shell commands on the server as database system users.
The discrepancy between the JSON parsers has the following impact: if two role keys are available in JSON, the first role key is used for subsequent authorization of newly created users, and the second role key is used for authorization document writing. According to the design, users cannot assign roles to themselves. This vulnerability allows non-administrator users to gain administration privileges.
CVE-2017-12636
A CouchDB administrator can configure the database server using HTTP(S). The configuration options that can be enabled include the path of the operating system-level binary file. This allows the CouchDB administrator to run arbitrary shell commands as a CouchDB user, including downloading scripts from the Internet and running scripts.
Condition and method of exploitation
Remote exploitation
PoC status
Unpublished
Affected scope
CouchDB 1.x and 2.x
Unaffected versions: 2.1.1, 1.7.0/1 or later versions
Vulnerability detection
Check whether any affected version of Apache CouchDB is used and whether a strong password and network access control policy are configured.
How to fix or mitigate
Internet Apache CouchDB instance
- We recommend that you upgrade Apache CouchDB to the latest version.
- Use the ECS security group or firewall policy, disable the exposure of CouchDB ports to the Internet, and configure refined network access control.
- Enable the authentication feature. Do not use the default account and password. Create a custom account and configure a strong password to prevent brute-force cracking attacks.
Intranet Apache CouchDB instance
- Use the ECS security group or firewall policy, disable the exposure of CouchDB ports to the Internet, and configure refined network access control.
- Enable the authentication feature. Do not use the default account and password. Create a custom account and configure a strong password to prevent brute-force cracking attacks.
Reference
[1]. https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636
[2]. http://seclists.org/oss-sec/2017/q4/279