Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 14 Nov 2017 12:26:19 -0500 (EST)
From: Joan Touzet <wohali@...che.org>
To: oss-security@...ts.openwall.com
Cc: Security CouchDB <security@...chdb.apache.org>
Subject: Apache CouchDB CVE-2017-12635 and CVE-2017-12636

Forwarding from https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E on Jan Lehnardt's behalf.

-----

Dear CouchDB Community,

Last week, we announced the release of CouchDB versions 2.1.1 &
1.7.0/1.7.1 and marked them as CRITICAL security updates.

Today we are releasing detailed information about the security issues.

We expect all users to have updated already.

# Overview

## CVE-2017-12635

Due to differences in CouchDB’s Erlang-based JSON parser and JavaScript-based
JSON parser, it is possible to submit _users documents with duplicate keys for
`roles` used for access control within the database, including the special case
`_admin` role, that denotes administrative users. In combination with
`CVE-2017-12636` (Remote Code Execution), this can be used to give non-admin
users access to arbitrary shell commands on the server as the database system
user.

The JSON parser differences result in behaviour that if two `roles` keys
are available in the JSON, the second one will be used for authorising the
document write, but the first `roles` key is used for subsequent
authorization for the newly created user. By design, users can not assign
themselves roles. The vulnerability allows non-admin users to give
themselves admin privileges.

We addressed this issue by updating the way CouchDB parses JSON in
Erlang, mimicking the JavaScript behaviour of picking the last key, if
duplicates exist.

This issue was discovered by `Max Justicz` (https://mastodon.mit.edu/@maxj)

See also: Max’s own blog post about the issue and the motivation behind
his research: https://justi.cz/security/2017/11/14/couchdb-rce-npm.html

## CVE-2017-12636

CouchDB administrative users can configure the database server via HTTP(S). Some
of the configuration options include paths for operating system-level binaries
that are subsequently launched by CouchDB. This allows a CouchDB admin user to
execute arbitrary shell commands as the CouchDB user, including downloading
and executing scripts from the public internet.

This issue was discovered by `Joan Touzet` (http://www.atypical.net) of the
CouchDB Security team during the investigation of `CVE-2017-12635`.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.