[couchdb-documentation] branch CVE-2018-11769 created (now 0526bfc)

[wo...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

wohali pushed a change to branch CVE-2018-11769
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git.


      at 0526bfc  Disclose CVE 2018-11769

This branch includes the following new commits:

     new 0526bfc  Disclose CVE 2018-11769

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.

[couchdb-documentation] 01/01: Disclose CVE 2018-11769

[wo...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

wohali pushed a commit to branch CVE-2018-11769
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git

commit 0526bfce1110539b6165481db36392d556b82490
Author: Joan Touzet <jo...@atypical.net>
AuthorDate: Wed Aug 8 10:07:52 2018 -0400

    Disclose CVE 2018-11769
---
 src/cve/2018-11769.rst | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++
 src/whatsnew/2.2.rst   |  2 ++
 2 files changed, 62 insertions(+)

diff --git a/src/cve/2018-11769.rst b/src/cve/2018-11769.rst
new file mode 100644
index 0000000..7968116
--- /dev/null
+++ b/src/cve/2018-11769.rst
@@ -0,0 +1,60 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cve/2018-11769:
+
+====================================================
+CVE-2018-11769: Apache CouchDB Remote Code Execution
+====================================================
+
+:Date: 08.08.2018
+
+:Affected: Apache CouchDB 1.x and ≤2.1.2
+
+:Severity: Low
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+CouchDB administrative users can configure the database server via HTTP(S). Due
+to insufficient validation of administrator-supplied configuration settings via
+the HTTP API, it is possible for a CouchDB administrator user to escalate their
+privileges to that of the operating system’s user under which CouchDB runs, by
+bypassing the blacklist of configuration settings that are not allowed to be
+modified via the HTTP API.
+
+This privilege escalation effectively allows a CouchDB admin user to gain
+arbitrary remote code execution, bypassing mitigations for
+:ref:`CVE-2017-12636 <cve/2017-12636>` and :ref:`CVE-2018-8007 <cve/2018-8007>`.
+
+Mitigation
+==========
+
+All users should upgrade to CouchDB :ref:`2.2.0 <release/2.2.0>`.
+
+Upgrades from previous 2.x versions in the same series should be seamless.
+
+Users still on CouchDB 1.x should be advised that the Apache CouchDB team no
+longer support 1.x.
+
+In-place mitigation (on any 1.x release, or 2.x prior to 2.2.0) is possible by
+removing the ``_config`` route from the ``default.ini`` file, as follows:
+
+   .. code-block:: text
+
+    [httpd_global_handlers]
+    ;_config = {couch_httpd_misc_handlers, handle_config_req}
+
+or by blocking access to the `/_config` (1.x) or `/_node/*/_config` routes at a reverse
+proxy in front of the service.
diff --git a/src/whatsnew/2.2.rst b/src/whatsnew/2.2.rst
index 6328b4d..ef51172 100644
--- a/src/whatsnew/2.2.rst
+++ b/src/whatsnew/2.2.rst
@@ -86,6 +86,8 @@ Upgrade Notes
   This feature never worked in 2.0 for databases, only for shards, making it effectively
   useless.
 
+.. _release/2.2.0:
+
 Version 2.2.0
 =============