2.9. CVE-2017-12636: Apache CouchDB Remote Code Execution

Date

14.11.2017

Affected

All Versions of Apache CouchDB

Severity

Critical

Vendor

The Apache Software Foundation

2.9.1. Description

CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows a CouchDB admin user to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

2.9.2. Mitigation

All users should upgrade to CouchDB 1.7.1 or 2.1.1.

Upgrades from previous 1.x and 2.x versions in the same series should be seamless.

Users on earlier versions, or users upgrading from 1.x to 2.x should consult with upgrade notes.

2.9.3. Credit

This issue was discovered by Joan Touzet of the CouchDB Security team during the investigation of CVE-2017-12635.