[couchdb-documentation] branch master updated: Disclose CVE 2018-11769

[wo...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

wohali pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/couchdb-documentation.git


The following commit(s) were added to refs/heads/master by this push:
     new eddb077  Disclose CVE 2018-11769
eddb077 is described below

commit eddb077986095cc84b66c683f85292e2d719f475
Author: Joan Touzet <jo...@atypical.net>
AuthorDate: Wed Aug 8 10:07:52 2018 -0400

    Disclose CVE 2018-11769
---
 src/cve/2018-11769.rst | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++
 src/whatsnew/2.2.rst   |  2 ++
 2 files changed, 62 insertions(+)

diff --git a/src/cve/2018-11769.rst b/src/cve/2018-11769.rst
new file mode 100644
index 0000000..7968116
--- /dev/null
+++ b/src/cve/2018-11769.rst
@@ -0,0 +1,60 @@
+.. Licensed under the Apache License, Version 2.0 (the "License"); you may not
+.. use this file except in compliance with the License. You may obtain a copy of
+.. the License at
+..
+..   http://www.apache.org/licenses/LICENSE-2.0
+..
+.. Unless required by applicable law or agreed to in writing, software
+.. distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+.. WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+.. License for the specific language governing permissions and limitations under
+.. the License.
+
+.. _cve/2018-11769:
+
+====================================================
+CVE-2018-11769: Apache CouchDB Remote Code Execution
+====================================================
+
+:Date: 08.08.2018
+
+:Affected: Apache CouchDB 1.x and ≤2.1.2
+
+:Severity: Low
+
+:Vendor: The Apache Software Foundation
+
+Description
+===========
+
+CouchDB administrative users can configure the database server via HTTP(S). Due
+to insufficient validation of administrator-supplied configuration settings via
+the HTTP API, it is possible for a CouchDB administrator user to escalate their
+privileges to that of the operating system’s user under which CouchDB runs, by
+bypassing the blacklist of configuration settings that are not allowed to be
+modified via the HTTP API.
+
+This privilege escalation effectively allows a CouchDB admin user to gain
+arbitrary remote code execution, bypassing mitigations for
+:ref:`CVE-2017-12636 <cve/2017-12636>` and :ref:`CVE-2018-8007 <cve/2018-8007>`.
+
+Mitigation
+==========
+
+All users should upgrade to CouchDB :ref:`2.2.0 <release/2.2.0>`.
+
+Upgrades from previous 2.x versions in the same series should be seamless.
+
+Users still on CouchDB 1.x should be advised that the Apache CouchDB team no
+longer support 1.x.
+
+In-place mitigation (on any 1.x release, or 2.x prior to 2.2.0) is possible by
+removing the ``_config`` route from the ``default.ini`` file, as follows:
+
+   .. code-block:: text
+
+    [httpd_global_handlers]
+    ;_config = {couch_httpd_misc_handlers, handle_config_req}
+
+or by blocking access to the `/_config` (1.x) or `/_node/*/_config` routes at a reverse
+proxy in front of the service.
diff --git a/src/whatsnew/2.2.rst b/src/whatsnew/2.2.rst
index 6328b4d..ef51172 100644
--- a/src/whatsnew/2.2.rst
+++ b/src/whatsnew/2.2.rst
@@ -86,6 +86,8 @@ Upgrade Notes
   This feature never worked in 2.0 for databases, only for shards, making it effectively
   useless.
 
+.. _release/2.2.0:
+
 Version 2.2.0
 =============