=====================================================================

                            CERT-Renater

                  Note d'Information No. 2021/VULN170
_____________________________________________________________________

DATE                : 26/04/2022

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache CouchDB versions
                                   prior to 3.2.2.

=====================================================================
https://lists.apache.org/thread/tkto5n4op3vgjqh8sgsjllcxkhtoo7jj
_____________________________________________________________________


CVE-2022-24706: Apache CouchDB: Remote Code Execution Vulnerability in
Packaging

Severity: critical


Description:

An attacker can access an improperly secured default installation 
without authenticating and gain admin privileges.

1. CouchDB opens a random network port, bound to all available 
interfaces in anticipation of clustered operation and/or runtime
introspection. A utility process called `epmd` advertises that random
port to the network.
`epmd` itself listens on a fixed port.
2. CouchDB packaging previously chose a default `cookie` value for
single-node as well as clustered installations. That cookie
authenticates any communication between Erlang nodes.

The CouchDB documentation[1] has always made recommendations for
properly securing an installation, but not all users follow the
advice.

We recommend a firewall in front of all CouchDB installations. The full
CouchDB api is available on registered port `5984` and this is the only
port that needs to be exposed for a single-node install. Installations
that do not expose the separate distribution port to external access are
not vulnerable.

[1]: https://docs.couchdb.org/en/stable/setup/cluster.html



Mitigation:

CouchDB 3.2.2 and onwards will refuse to start with the former default
Erlang cookie value of `monster`. Installations that upgrade to this
versions are forced to choose a different value.

In addition, all binary packages have been updated to bind `epmd` as
well as the CouchDB distribution port to `127.0.0.1` and/or `::1`
respectively.

Credit:

The Apache CouchDB Team would like to thank Alex Vandiver 
<al...@zulip.com> for the report of this issue.

References:

https://lists.apache.org/thread/w24wo0h8nlctfps65txvk0oc5hdcnv00



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================