17.1. CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability
Date: |
---|
31.03.2010 |
Affected: |
——- |
Apache CouchDB 0.8.0 to 0.10.1 |
Severity: |
——- |
Important |
Vendor: |
——- |
The Apache Software Foundation |
17.1.1. Description
Apache CouchDB versions prior to version 0.11.0 arevulnerable to timing attacks, also known as side-channel information leakage,due to using simple break-on-inequality string comparisons when verifying hashesand passwords.
17.1.2. Mitigation
All users should upgrade to CouchDB 0.11.0.Upgrades from the 0.10.x series should be seamless.Users on earlier versions should consult withupgrade notes.
17.1.3. Example
A canonical description of the attack can be found inhttp://codahale.com/a-lesson-in-timing-attacks/
17.1.4. Credit
This issue was discovered by Jason Davies of the Apache CouchDB developmentteam.