16.9. CVE-2017-12636: Apache CouchDB Remote Code Execution

Date:14.11.2017
Affected:All Versions of Apache CouchDB
Severity:Critical
Vendor:The Apache Software Foundation

16.9.1. Description

CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows a CouchDB admin user to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

16.9.2. Mitigation

All users should upgrade to CouchDB 1.7.1 or 2.1.1.

Upgrades from previous 1.x and 2.x versions in the same series should be seamless.

Users on earlier versions, or users upgrading from 1.x to 2.x should consult with upgrade notes.

16.9.3. Credit

This issue was discovered by Joan Touzet of the CouchDB Security team during the investigation of CVE-2017-12635.