You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@couchdb.apache.org by Andrea Brancatelli <ab...@schema31.it.INVALID> on 2020/05/20 13:37:51 UTC
CouchDB vulnerability
A client sent us a link about a supposed security problem with one of
our couchdb 2.3.1 instances.
He related to this https://www.exploit-db.com/exploits/46595 which, to
me, seems a quite confused report that, I guess, can be related to a
"out of the box" couchdb setup in admin party.
Am I wrong? Do a correctly setup couchdb with a local admin and correct
grants to the dbs suffer of that issue?
Thanks.
--
Andrea Brancatelli
Re: CouchDB vulnerability
Posted by Joan Touzet <wo...@apache.org>.
On 2020-05-20 3:52 p.m., Andrea Brancatelli wrote:
> Thanks Joan,
>
> You’re accurate as usual.
>
> Do you think it’s worth writing to exploit-db to correct those misleading reports?
Well, it says the exploit is "unconfirmed," which I think means it's
just some random user's submission. I think it's meaningless enough (and
easily explainable, by pointing anyone to this public email thread via
https://lists.apache.org/) to not warrant official project action, but
if you want, you're welcome to write to them :)
-Joan "late nights this week" Touzet
>
> Inviato da iPhone
>
>> Il giorno 20 mag 2020, alle ore 19:29, Joan Touzet <wo...@apache.org> ha scritto:
>>
>> Hi Andrea,
>>
>>> On 2020-05-20 9:37, Andrea Brancatelli wrote:
>>> A client sent us a link about a supposed security problem with one of
>>> our couchdb 2.3.1 instances.
>>> He related to this https://www.exploit-db.com/exploits/46595 which, to
>>> me, seems a quite confused report that, I guess, can be related to a
>>> "out of the box" couchdb setup in admin party.
>>
>> I agree.
>>
>> The first 3 things are just showing that, in admin party, you can create a DB, delete a DB, and create a document. This is nothing new.
>>
>> #4 is showing you can create an admin on a new install if there is no admin there already. Same thing.
>>
>> #5 and #6 are nonsense entries, in that they are adding nonsense config settings through the admin config API. Not only are these not possible once you leave admin party, junk in the config file like this will be ignored.
>>
>> There is no new exploit or CVE here.
>>
>>> Am I wrong? Do a correctly setup couchdb with a local admin and correct
>>> grants to the dbs suffer of that issue?
>>
>> Nope! In short, none of this is possible once you disable admin party - except for #3 in 2.x, and that's fixable by tightening up each DB's _security.
>>
>>> Thanks.
>>
>> -Joan "open by default is confusing in 2020" Touzet
>
Re: CouchDB vulnerability
Posted by Andrea Brancatelli <ab...@schema31.it.INVALID>.
Thanks Joan,
You’re accurate as usual.
Do you think it’s worth writing to exploit-db to correct those misleading reports?
Inviato da iPhone
> Il giorno 20 mag 2020, alle ore 19:29, Joan Touzet <wo...@apache.org> ha scritto:
>
> Hi Andrea,
>
>> On 2020-05-20 9:37, Andrea Brancatelli wrote:
>> A client sent us a link about a supposed security problem with one of
>> our couchdb 2.3.1 instances.
>> He related to this https://www.exploit-db.com/exploits/46595 which, to
>> me, seems a quite confused report that, I guess, can be related to a
>> "out of the box" couchdb setup in admin party.
>
> I agree.
>
> The first 3 things are just showing that, in admin party, you can create a DB, delete a DB, and create a document. This is nothing new.
>
> #4 is showing you can create an admin on a new install if there is no admin there already. Same thing.
>
> #5 and #6 are nonsense entries, in that they are adding nonsense config settings through the admin config API. Not only are these not possible once you leave admin party, junk in the config file like this will be ignored.
>
> There is no new exploit or CVE here.
>
>> Am I wrong? Do a correctly setup couchdb with a local admin and correct
>> grants to the dbs suffer of that issue?
>
> Nope! In short, none of this is possible once you disable admin party - except for #3 in 2.x, and that's fixable by tightening up each DB's _security.
>
>> Thanks.
>
> -Joan "open by default is confusing in 2020" Touzet
Re: CouchDB vulnerability
Posted by Joan Touzet <wo...@apache.org>.
Hi Andrea,
On 2020-05-20 9:37, Andrea Brancatelli wrote:
> A client sent us a link about a supposed security problem with one of
> our couchdb 2.3.1 instances.
>
> He related to this https://www.exploit-db.com/exploits/46595 which, to
> me, seems a quite confused report that, I guess, can be related to a
> "out of the box" couchdb setup in admin party.
I agree.
The first 3 things are just showing that, in admin party, you can create
a DB, delete a DB, and create a document. This is nothing new.
#4 is showing you can create an admin on a new install if there is no
admin there already. Same thing.
#5 and #6 are nonsense entries, in that they are adding nonsense config
settings through the admin config API. Not only are these not possible
once you leave admin party, junk in the config file like this will be
ignored.
There is no new exploit or CVE here.
> Am I wrong? Do a correctly setup couchdb with a local admin and correct
> grants to the dbs suffer of that issue?
Nope! In short, none of this is possible once you disable admin party -
except for #3 in 2.x, and that's fixable by tightening up each DB's
_security.
>
> Thanks.
>
-Joan "open by default is confusing in 2020" Touzet