| .. Licensed under the Apache License, Version 2.0 (the "License"); you may not |
| .. use this file except in compliance with the License. You may obtain a copy of |
| .. the License at |
| .. |
| .. http://www.apache.org/licenses/LICENSE-2.0 |
| .. |
| .. Unless required by applicable law or agreed to in writing, software |
| .. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT |
| .. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the |
| .. License for the specific language governing permissions and limitations under |
| .. the License. |
| |
| .. _cve/2018-11769: |
| |
| ==================================================== |
| CVE-2018-11769: Apache CouchDB Remote Code Execution |
| ==================================================== |
| |
| :Date: 08.08.2018 |
| |
| :Affected: Apache CouchDB 1.x and ≤2.1.2 |
| |
| :Severity: Low |
| |
| :Vendor: The Apache Software Foundation |
| |
| Description |
| =========== |
| |
| CouchDB administrative users can configure the database server via HTTP(S). Due |
| to insufficient validation of administrator-supplied configuration settings via |
| the HTTP API, it is possible for a CouchDB administrator user to escalate their |
| privileges to that of the operating system’s user under which CouchDB runs, by |
| bypassing the blacklist of configuration settings that are not allowed to be |
| modified via the HTTP API. |
| |
| This privilege escalation effectively allows a CouchDB admin user to gain |
| arbitrary remote code execution, bypassing mitigations for |
| :ref:`CVE-2017-12636 <cve/2017-12636>` and :ref:`CVE-2018-8007 <cve/2018-8007>`. |
| |
| Mitigation |
| ========== |
| |
| All users should upgrade to CouchDB :ref:`2.2.0 <release/2.2.0>`. |
| |
| Upgrades from previous 2.x versions in the same series should be seamless. |
| |
| Users still on CouchDB 1.x should be advised that the Apache CouchDB team no |
| longer support 1.x. |
| |
| In-place mitigation (on any 1.x release, or 2.x prior to 2.2.0) is possible by |
| removing the ``_config`` route from the ``default.ini`` file, as follows: |
| |
| .. code-block:: text |
| |
| [httpd_global_handlers] |
| ;_config = {couch_httpd_misc_handlers, handle_config_req} |
| |
| or by blocking access to the `/_config` (1.x) or `/_node/*/_config` routes at a reverse |
| proxy in front of the service. |