17.7. CVE-2014-2668: DoS (CPU and memory consumption) via the count parameter to /_uuids
Date: |
---|
26.03.2014 |
Affected: |
——- |
Apache CouchDB releases up to and including 1.3.1, 1.4.0,and 1.5.0 are vulnerable. |
Severity: |
——- |
Moderate |
Vendor: |
——- |
The Apache Software Foundation |
17.7.1. Description
The /_uuids resource’s count query parameter is able to takeunreasonable huge numeric value which leads to exhaustion of server resources(CPU and memory) and to DoS as the result.
17.7.2. Mitigation
Upgrade to a supported CouchDB release that includes this fix, such as:
17.7.3. Work-Around
Disable the /_uuids handler completely, by adaptinglocal.ini and restarting CouchDB:
- [httpd_global_handlers]
- _uuids =