| Summary: | couchdb new security issue CVE-2014-2668 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | major | ||
| Priority: | Normal | CC: | davidwhodgins, fundawang, mageia, sysadmin-bugs, tmb, wilcal.int |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/594897/ | ||
| Whiteboard: | MGA3TOO has_procedure advisory MGA3-32-OK MGA3-64-OK mga4-32-ok mga4-64-ok | ||
| Source RPM: | couchdb-1.4.0-3.mga5.src.rpm | CVE: | |
| Status comment: | |||
| Attachments: |
/var/lib/couchdb/erl_crash.dump
new /var/lib/couchdb/erl_crash.dump |
||
|
Description
David Walser
2014-04-15 20:36:51 CEST
David Walser
2014-04-15 20:36:57 CEST
Whiteboard:
(none) =>
MGA4TOO, MGA3TOO Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated couchdb packages fix security vulnerability: Apache CouchDB 1.5.0 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) via the count parameter to /_uuids (CVE-2014-2668). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2668 http://lists.opensuse.org/opensuse-updates/2014-04/msg00039.html ======================== Updated packages in core/updates_testing: ======================== couchdb-1.2.1-3.1.mga3 couchdb-bin-1.2.1-3.1.mga3 couchdb-1.4.0-2.1.mga4 couchdb-bin-1.4.0-2.1.mga4 from SRPMS: couchdb-1.2.1-3.1.mga3.src.rpm couchdb-1.4.0-2.1.mga4.src.rpm Version:
Cauldron =>
4 There appears to be something wrong with download.opensuse.org, so I had to use Google to find OpenSuSE's SRPMS to get the patches. Note to QA: see the Novell bug linked in Comment 0 for PoC information. # Exploit Title: Couchdb uuids DOS exploit # Google Dork inurl: _uuids # Date: 03/24/2014 # Exploit Author: KrustyHack # Vendor Homepage: http://couchdb.apache.org/ # Software Link: http://couchdb.apache.org/ # Version: up to 1.5.0 # Tested on: Linux Couchdb up to 1.5.0 HOW TO ====== curl http://couchdb_target/_uuids?count=99999999999999999999999999999999999999999999999999999999999999999999999 TEST ==== Tested on a 16G RAM Quadcore server. Couchdb dead on 30 seconds with only one GET request. http://www.securityfocus.com/bid/66474/info http://www.exploit-db.com/exploits/32519/ http://secunia.com/advisories/57572 Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure In VirtualBox, M3, KDE, 32-bit Package(s) under test: couchdb + heimdal-telnet default install of couchdb [root@localhost wilcal]# urpmi couchdb Package couchdb-1.2.1-3.mga3.i586 is already installed [root@localhost wilcal]# urpmi heimdal-telnet Package heimdal-telnet-1.5.3-1.mga3.i586 is already installed Test procedure: http://wiki.apache.org/couchdb/CouchIn15Minutes Using db name "example" couchdb responds as expected install couchdb from updates_testing [root@localhost wilcal]# urpmi couchdb Package couchdb-1.2.1-3.1.mga3.i586 is already installed [root@localhost wilcal]# urpmi heimdal-telnet Package heimdal-telnet-1.5.3-1.mga3.i586 is already installed Test procedure: http://wiki.apache.org/couchdb/CouchIn15Minutes Using db name "example2" couchdb responds as expected Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm Whiteboard:
MGA3TOO has_procedure =>
MGA3TOO has_procedure MGA3-32-OK In VirtualBox, M3, KDE, 64-bit Package(s) under test: couchdb + heimdal-telnet default install of couchdb [root@localhost wilcal]# urpmi couchdb Package couchdb-1.2.1-3.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi heimdal-telnet Package heimdal-telnet-1.5.3-1.mga3.x86_64 is already installed Test procedure: http://wiki.apache.org/couchdb/CouchIn15Minutes Using db name "example1" couchdb responds as expected install couchdb from updates_testing [root@localhost wilcal]# urpmi couchdb Package couchdb-1.2.1-3.1.mga3.x86_64 is already installed [root@localhost wilcal]# urpmi heimdal-telnet Package heimdal-telnet-1.5.3-1.mga3.x86_64 is already installed Test procedure: http://wiki.apache.org/couchdb/CouchIn15Minutes Using db name "example2" couchdb responds as expected Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm Whiteboard:
MGA3TOO has_procedure MGA3-32-OK =>
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK In VirtualBox, M4, KDE, 32-bit Package(s) under test: couchdb + heimdal-telnet default install of couchdb [root@localhost wilcal]# urpmi couchdb Package couchdb-1.4.0-2.mga4.i586 is already installed [root@localhost wilcal]# urpmi heimdal-telnet Package heimdal-telnet-1.5.3-4.mga4.i586 is already installed Test procedure: http://wiki.apache.org/couchdb/CouchIn15Minutes As soon as I attempt to access the service at: http://localhost:5984/_utils/ couchdb stops. The same if I use: http://127.0.0.1:5984/ I get the Unable to connect browser notice. MCC -> System - Manage system services couchdb can be started but stops when accessed. Started from terminal service couchdb start and I get the same thing. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm Following procedure here https://bugs.mageia.org/show_bug.cgi?id=8973#c5 Both mga4 32 and 64 both crash when starting manually or as a service. # su - couchdb -bash-4.2$ couchdb {"init terminating in do_boot",{{badmatch,{error,{{app_would_not_start,asn1},{couch_app,start,[normal,["/etc/couchdb/default.ini","/etc/couchdb/local.ini"]]}}}},[{couch,start,0,[{file,"couch.erl"},{line,18}]},{init,start_it,1,[]},{init,start_em,1,[]}]}} Crash dump was written to: erl_crash.dump init terminating in do_boot () There was a similar issue there which was a missing requires, adding Nicolas to CC. # rpm -qa erlang* erlang-inets-R16B02-2.mga4 erlang-tools-R16B02-2.mga4 erlang-base-R16B02-2.mga4 erlang-public_key-R16B02-2.mga4 erlang-crypto-R16B02-2.mga4 erlang-ssl-R16B02-2.mga4 erlang-xmerl-R16B02-2.mga4 erlang-os_mon-R16B02-2.mga4 I'll attach a /var/lib/couchdb/erl_crash.dump CC:
(none) =>
mageia Created attachment 5127 [details]
/var/lib/couchdb/erl_crash.dump
If necessary we can split the update and push mga3 Whiteboard:
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK =>
MGA3TOO has_procedure feedback MGA3-32-OK MGA3-64-OK
David Walser
2014-04-23 16:07:04 CEST
CC:
(none) =>
fundawang should this be split to allow mga3 to be pushed? I don't think we should push a mga3 update before mga4, regardless of the fact that the versions are different. We could just push it as-is for mga4, as the update isn't any more broken than the release version. We could add a note to the advisory about it in that case, giving a reference to a new bug that would be filed for the issue and saying it'll hopefully be fixed in a future update. I think we've done something like that in the past. In the meantime, we should probably drop this package in Cauldron if nobody's interested in fixing it. Hold off a little, I think I know where it fails, will test the fix. CC:
(none) =>
tmb Thanks Thomas couchdb-1.4.0-2.2.mga4 on the way to updates_testing. it needed erlang-asn1 and erlang-syntax_tools to work. I pushed the same fix to cauldron Whiteboard:
MGA3TOO has_procedure feedback MGA3-32-OK MGA3-64-OK =>
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK Still the same problem unfortunately..
Preparing... ##########
1/3: erlang-syntax_tools ##########
2/3: erlang-asn1 ##########
3/3: couchdb-bin ##########
1/1: removing couchdb-bin-1.4.0-2.mga4.x86_64
##########
# su - couchdb
-bash-4.2$ couchdb
{"init terminating in do_boot",{{badmatch,{error,{{app_would_not_start,compiler},{couch_app,start,[normal,["/etc/couchdb/default.ini","/etc/couchdb/local.ini"]]}}}},[{couch,start,0,[{file,"couch.erl"},{line,18}]},{init,start_it,1,[]},{init,start_em,1,[]}]}}
Crash dump was written to: erl_crash.dump
init terminating in do_boot ()
# service couchdb start
Redirecting to /bin/systemctl start couchdb.service
# service couchdb status
Redirecting to /bin/systemctl status couchdb.service
couchdb.service - CouchDB Server
Loaded: loaded (/usr/lib/systemd/system/couchdb.service; enabled)
Active: failed (Result: start-limit) since Sat 2014-05-03 13:04:01 BST; 3s ago
Process: 25106 ExecStart=/usr/bin/erl +Bd -noinput -sasl errlog_type error +K true +A 4 -couch_ini /etc/couchdb/default.ini /etc/couchdb/local.ini -s couch -pidfile /var/run/couchdb/couchdb.pid -heart (code=exited, status=1/FAILURE)
Main PID: 25106 (code=exited, status=1/FAILURE)
systemd[1]: couchdb.service: main process exited, code=exited, status=1/FAILURE
systemd[1]: Unit couchdb.service entered failed state.
systemd[1]: couchdb.service holdoff time over, scheduling restart.
systemd[1]: Stopping CouchDB Server...
systemd[1]: Starting CouchDB Server...
systemd[1]: couchdb.service start request repeated too quickly, refusing to start.
systemd[1]: Failed to start CouchDB Server.
systemd[1]: Unit couchdb.service entered failed state.
# rpm -qa | grep couchdb
couchdb-1.4.0-2.2.mga4
couchdb-bin-1.4.0-2.2.mga4Whiteboard:
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK =>
MGA3TOO feedback has_procedure MGA3-32-OK MGA3-64-OK Created attachment 5137 [details]
new /var/lib/couchdb/erl_crash.dump
Oops, my bad :/ it needs Requires on erlang-compiler too, wich is a BuildRequires so I missed it during my tests as it got pulled in when I tested the build :/ A fixed couchdb-1.4.0-2.3.mga4 is on the way to the mirrors. Whiteboard:
MGA3TOO feedback has_procedure MGA3-32-OK MGA3-64-OK =>
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK Fixed \o/ thanks Thomas. Testing complete mga4 64 To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") erlang-compiler R16B02 2.mga4 x86_64 (medium "Core Updates Testing") couchdb 1.4.0 2.3.mga4 x86_64 couchdb-bin 1.4.0 2.3.mga4 x86_64 # su - couchdb -bash-4.2$ couchdb Apache CouchDB 1.4.0 (LogLevel=info) is starting. Apache CouchDB has started. Time to relax. [info] [<0.31.0>] Apache CouchDB has started on http://127.0.0.1:5984/ [info] [<0.289.0>] 127.0.0.1 - - GET /_uuids?count=99999999999999999999999999999999999999999999999999999999999999999999999 403 Test PoC and quit with ctrl-c $ curl http://localhost:5984/_uuids?count=99999999999999999999999999999999999999999999999999999999999999999999999 {"error":"forbidden","reason":"count parameter too large"} Check service starts ok.. # service couchdb start Redirecting to /bin/systemctl start couchdb.service # service couchdb status Redirecting to /bin/systemctl status couchdb.service couchdb.service - CouchDB Server Loaded: loaded (/usr/lib/systemd/system/couchdb.service; enabled) Active: active (running) since Sat 2014-05-03 14:00:40 BST; 2s ago ..etc Whiteboard:
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK =>
MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK mga4-64-ok Testing complete mga4 32 Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks Keywords:
(none) =>
validated_update Update pushed: http://advisories.mageia.org/MGASA-2014-0203.html Resolution:
(none) =>
FIXED it can be quite difficult to choose the best antivirus app for your Android device when there are so many options out there. That's why we did the job and tested many different antivirus softwares. Here’s the list of the best antivirus apps for Android devices in 2022: https://celltrackingapps.com/free-android-antivirus/ CC:
(none) =>
jasonadamses
Dave Hodgins
2022-04-13 18:24:45 CEST
CC:
jasonadamses =>
davidwhodgins |