You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@couchdb.apache.org by Jan Lehnardt <ja...@apache.org> on 2022/04/26 08:43:05 UTC

CVE-2022-24706: Apache CouchDB Remote Privilege Escalation

Description
===========

An attacker can access an improperly secured default installation without
authenticating and gain admin privileges.

1. CouchDB opens a random network port, bound to all available interfaces
   in anticipation of clustered operation and/or runtime introspection. A
   utility process called `epmd` advertises that random port to the network.
   `epmd` itself listens on a fixed port.
2. CouchDB packaging previously chose a default `cookie` value for single-node
   as well as clustered installations. That cookie authenticates any
   communication between Erlang nodes.

The CouchDB documentation[1] has always made recommendations for properly
securing an installation, but not all users follow the advice.

We recommend a firewall in front of all CouchDB installations. The full
CouchDB api is available on registered port `5984` and this is the only
port that needs to be exposed for a single-node install. Installations
that do not expose the separate distribution port to external access are
not vulnerable.

Mitigation
==========

CouchDB 3.2.2 and onwards will refuse to start with the former default
Erlang cookie value of `monster`. Installations that upgrade to this
versions are forced to choose a different value.

In addition, all binary packages have been updated to bind `epmd` as
well as the CouchDB distribution port to `127.0.0.1` and/or `::1`
respectively.

Credit
======

This issue was identified by Alex Vandiver <al...@zulip.com>.

[1]: https://docs.couchdb.org/en/stable/setup/cluster.html