Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 660908 (CVE-2018-8007) - <dev-db/couchdb-1.7.2: administrative privilege escalation
Summary: <dev-db/couchdb-1.7.2: administrative privilege escalation
Status: RESOLVED FIXED
Alias: CVE-2018-8007
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B1 [glsa+ cve]
Keywords:
: 662170 (view as bug list)
Depends on:
Blocks:
 
Reported: 2018-07-11 14:24 UTC by Agostino Sarubbo
Modified: 2018-12-15 20:09 UTC (History)
2 users (show)

See Also:
Package list:
dev-db/couchdb-1.7.2
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2018-07-11 14:24:49 UTC 
From ${URL} :

[CVEID]: CVE-2018-8007
[PRODUCT]: Apache CouchDB
[VERSION]: Apache CouchDB versions up to and including 1.7.1, and 2.1.1
[PROBLEMTYPE]: Administrative Privilege Escalation
[REFERENCES]: https://blog.couchdb.org/2018/07/10/cve-2018-8007/ http://mail-archives.apache.org/mod_mbox/couchdb-announce/201807.mbox/%3C1699016538.6219.1531246785603.JavaMail.Joan%40RITA%3E 
http://mail-archives.apache.org/mod_mbox/couchdb-announce/201807.mbox/%3c1439409216.6221.1531246856676.JavaMail.Joan@RITA%3e
[DESCRIPTION]: CouchDB administrative users can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is 
possible for a CouchDB administrator user to escalate their privileges to that of the operating system’s user that CouchDB runs under, by bypassing the blacklist of configuration settings that are not 
allowed to be modified via the HTTP API.

This privilege escalation effectively allows an existing CouchDB admin user to gain arbitrary remote code execution, bypassing already disclosed CVE-2017-12636.

Mitigation:

All users should upgrade to CouchDB releases 1.7.2 or 2.1.2.

Upgrades from previous 1.x and 2.x versions in the same series should be
seamless.

Users on earlier versions, or users upgrading from 1.x to 2.x should consult
with upgrade notes.
Credit

This issue was discovered by Francesco Oddo of MDSec Labs. The CouchDB PMC gratefully acknowledges their support in responsibly disclosing this vulnerability.


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-07-11 14:42:22 UTC 
Yup, stabilization should be fine.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2018-07-15 14:24:27 UTC 
x86 stable
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2018-07-15 17:15:46 UTC 
amd64 stable
Comment 4 Dirkjan Ochtman (RETIRED) gentoo-dev 2018-07-26 12:58:36 UTC 
*** Bug 662170 has been marked as a duplicate of this bug. ***
Comment 5 ernsteiswuerfel archtester 2018-07-31 20:24:23 UTC 
Looking good on ppc.

# cat couchdb-660908.report 
USE tests started on Di 31. Jul 22:01:51 CEST 2018

FEATURES=' test' USE='' succeeded for =dev-db/couchdb-1.7.2
USE='-libressl' succeeded for =dev-db/couchdb-1.7.2
USE='libressl' : blocked packages (probably) for =dev-db/couchdb-1.7.2
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2018-08-05 20:36:30 UTC 
ppc stable. Thanks to  ernsteiswuerfel!
Comment 7 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2018-12-11 13:24:36 UTC 
Package removed wrt #594624.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2018-12-15 20:09:20 UTC 
This issue was resolved and addressed in
 GLSA 201812-06 at https://security.gentoo.org/glsa/201812-06
by GLSA coordinator Aaron Bauman (b-man).