CouchDB vulnerability

[Andrea Brancatelli <ab...@schema31.it.INVALID>]

A client sent us a link about a supposed security problem with one of
our couchdb 2.3.1 instances. 

He related to this https://www.exploit-db.com/exploits/46595 which, to
me, seems a quite confused report that, I guess, can be related to a
"out of the box" couchdb setup in admin party. 

Am I wrong? Do a correctly setup couchdb with a local admin and correct
grants to the dbs suffer of that issue? 

Thanks.

-- 

Andrea Brancatelli

Re: CouchDB vulnerability

[Joan Touzet <wo...@apache.org>]

On 2020-05-20 3:52 p.m., Andrea Brancatelli wrote:
> Thanks Joan,
> 
> You’re accurate as usual.
> 
> Do you think it’s worth writing to exploit-db to correct those misleading reports?

Well, it says the exploit is "unconfirmed," which I think means it's 
just some random user's submission. I think it's meaningless enough (and 
easily explainable, by pointing anyone to this public email thread via 
https://lists.apache.org/) to not warrant official project action, but 
if you want, you're welcome to write to them :)

-Joan "late nights this week" Touzet

> 
> Inviato da iPhone
> 
>> Il giorno 20 mag 2020, alle ore 19:29, Joan Touzet <wo...@apache.org> ha scritto:
>>
>> Hi Andrea,
>>
>>> On 2020-05-20 9:37, Andrea Brancatelli wrote:
>>> A client sent us a link about a supposed security problem with one of
>>> our couchdb 2.3.1 instances.
>>> He related to this https://www.exploit-db.com/exploits/46595 which, to
>>> me, seems a quite confused report that, I guess, can be related to a
>>> "out of the box" couchdb setup in admin party.
>>
>> I agree.
>>
>> The first 3 things are just showing that, in admin party, you can create a DB, delete a DB, and create a document. This is nothing new.
>>
>> #4 is showing you can create an admin on a new install if there is no admin there already. Same thing.
>>
>> #5 and #6 are nonsense entries, in that they are adding nonsense config settings through the admin config API. Not only are these not possible once you leave admin party, junk in the config file like this will be ignored.
>>
>> There is no new exploit or CVE here.
>>
>>> Am I wrong? Do a correctly setup couchdb with a local admin and correct
>>> grants to the dbs suffer of that issue?
>>
>> Nope! In short, none of this is possible once you disable admin party - except for #3 in 2.x, and that's fixable by tightening up each DB's _security.
>>
>>> Thanks.
>>
>> -Joan "open by default is confusing in 2020" Touzet
> 

Re: CouchDB vulnerability

[Andrea Brancatelli <ab...@schema31.it.INVALID>]

Thanks Joan,

You’re accurate as usual.

Do you think it’s worth writing to exploit-db to correct those misleading reports?

Inviato da iPhone

> Il giorno 20 mag 2020, alle ore 19:29, Joan Touzet <wo...@apache.org> ha scritto:
> 
> Hi Andrea,
> 
>> On 2020-05-20 9:37, Andrea Brancatelli wrote:
>> A client sent us a link about a supposed security problem with one of
>> our couchdb 2.3.1 instances.
>> He related to this https://www.exploit-db.com/exploits/46595 which, to
>> me, seems a quite confused report that, I guess, can be related to a
>> "out of the box" couchdb setup in admin party.
> 
> I agree.
> 
> The first 3 things are just showing that, in admin party, you can create a DB, delete a DB, and create a document. This is nothing new.
> 
> #4 is showing you can create an admin on a new install if there is no admin there already. Same thing.
> 
> #5 and #6 are nonsense entries, in that they are adding nonsense config settings through the admin config API. Not only are these not possible once you leave admin party, junk in the config file like this will be ignored.
> 
> There is no new exploit or CVE here.
> 
>> Am I wrong? Do a correctly setup couchdb with a local admin and correct
>> grants to the dbs suffer of that issue?
> 
> Nope! In short, none of this is possible once you disable admin party - except for #3 in 2.x, and that's fixable by tightening up each DB's _security.
> 
>> Thanks.
> 
> -Joan "open by default is confusing in 2020" Touzet

Re: CouchDB vulnerability

[Joan Touzet <wo...@apache.org>]

Hi Andrea,

On 2020-05-20 9:37, Andrea Brancatelli wrote:
> A client sent us a link about a supposed security problem with one of
> our couchdb 2.3.1 instances.
> 
> He related to this https://www.exploit-db.com/exploits/46595 which, to
> me, seems a quite confused report that, I guess, can be related to a
> "out of the box" couchdb setup in admin party.

I agree.

The first 3 things are just showing that, in admin party, you can create 
a DB, delete a DB, and create a document. This is nothing new.

#4 is showing you can create an admin on a new install if there is no 
admin there already. Same thing.

#5 and #6 are nonsense entries, in that they are adding nonsense config 
settings through the admin config API. Not only are these not possible 
once you leave admin party, junk in the config file like this will be 
ignored.

There is no new exploit or CVE here.

> Am I wrong? Do a correctly setup couchdb with a local admin and correct
> grants to the dbs suffer of that issue?

Nope! In short, none of this is possible once you disable admin party - 
except for #3 in 2.x, and that's fixable by tightening up each DB's 
_security.

> 
> Thanks.
> 

-Joan "open by default is confusing in 2020" Touzet