| .. Licensed under the Apache License, Version 2.0 (the "License"); you may not |
| .. use this file except in compliance with the License. You may obtain a copy of |
| .. the License at |
| .. |
| .. http://www.apache.org/licenses/LICENSE-2.0 |
| .. |
| .. Unless required by applicable law or agreed to in writing, software |
| .. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| .. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| .. License for the specific language governing permissions and limitations under |
| .. the License. |
| |
| .. _cve/2017-12635: |
| |
| ========================================================== |
| CVE-2017-12635: Apache CouchDB Remote Privilege Escalation |
| ========================================================== |
| |
| :Date: 14.11.2017 |
| |
| :Affected: All Versions of Apache CouchDB |
| |
| :Severity: Critical |
| |
| :Vendor: The Apache Software Foundation |
| |
| Description |
| =========== |
| |
| Due to differences in CouchDB’s Erlang-based JSON parser and JavaScript-based |
| JSON parser, it is possible to submit _users documents with duplicate keys for |
| `roles` used for access control within the database, including the special case |
| `_admin` role, that denotes administrative users. In combination with |
| :ref:`CVE-2017-12636 <cve/2017-12636>` (Remote Code Execution), this can be used |
| to give non-admin users access to arbitrary shell commands on the server as the |
| database system user. |
| |
| Mitigation |
| ========== |
| |
| All users should upgrade to CouchDB :ref:`1.7.1 <release/1.7.1>` or |
| :ref:`2.1.1 <release/2.1.1>`. |
| |
| Upgrades from previous 1.x and 2.x versions in the same series should be |
| seamless. |
| |
| Users on earlier versions, or users upgrading from 1.x to 2.x should consult |
| with upgrade notes. |
| |
| Example |
| ======= |
| |
| The JSON parser differences result in behaviour that if two `roles` keys |
| are available in the JSON, the second one will be used for authorising the |
| document write, but the first `roles` key is used for subsequent authorisation |
| for the newly created user. By design, users can not assign themselves roles. |
| The vulnerability allows non-admin users to give themselves admin privileges. |
| |
| We addressed this issue by updating the way CouchDB parses JSON in Erlang, |
| mimicking the JavaScript behaviour of picking the last key, if duplicates exist. |
| |
| Credit |
| ====== |
| |
| This issue was discovered by `Max Justicz`_. |
| |
| .. _Max Justicz: https://mastodon.mit.edu/@maxj |