2.1. CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability¶
- Date:
31.03.2010
- Affected:
Apache CouchDB 0.8.0 to 0.10.1
- Severity:
Important
- Vendor:
The Apache Software Foundation
2.1.1. Description¶
Apache CouchDB versions prior to version 0.11.0 are vulnerable to timing attacks, also known as side-channel information leakage, due to using simple break-on-inequality string comparisons when verifying hashes and passwords.
2.1.2. Mitigation¶
All users should upgrade to CouchDB 0.11.0. Upgrades from the 0.10.x series should be seamless. Users on earlier versions should consult with upgrade notes.
2.1.3. Example¶
A canonical description of the attack can be found in http://codahale.com/a-lesson-in-timing-attacks/
2.1.4. Credit¶
This issue was discovered by Jason Davies of the Apache CouchDB development team.