Bug 13220 - couchdb new security issue CVE-2014-2668
: couchdb new security issue CVE-2014-2668
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/594897/
: MGA3TOO has_procedure advisory MGA3-3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-04-15 20:36 CEST by David Walser
Modified: 2014-05-03 18:35 CEST (History)
5 users (show)

See Also:
Source RPM: couchdb-1.4.0-3.mga5.src.rpm
CVE:


Attachments
/var/lib/couchdb/erl_crash.dump (287.03 KB, application/octet-stream)
2014-04-23 16:01 CEST, claire robinson
Details
new /var/lib/couchdb/erl_crash.dump (421.33 KB, application/octet-stream)
2014-05-03 14:09 CEST, claire robinson
Details

Description David Walser 2014-04-15 20:36:51 CEST
OpenSuSE has issued an advisory today (April 15):
http://lists.opensuse.org/opensuse-updates/2014-04/msg00039.html

The Novell bug has PoC information, but no patch information:
https://bugzilla.novell.com/871111

The SRPMS for this update don't appear to be on the mirror yet.

Mageia 3 and Mageia 4 are also affected.

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-04-21 23:04:10 CEST
Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated couchdb packages fix security vulnerability:

Apache CouchDB 1.5.0 and earlier allows remote attackers to cause a denial of
service (CPU and memory consumption) via the count parameter to /_uuids
(CVE-2014-2668).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2668
http://lists.opensuse.org/opensuse-updates/2014-04/msg00039.html
========================

Updated packages in core/updates_testing:
========================
couchdb-1.2.1-3.1.mga3
couchdb-bin-1.2.1-3.1.mga3
couchdb-1.4.0-2.1.mga4
couchdb-bin-1.4.0-2.1.mga4

from SRPMS:
couchdb-1.2.1-3.1.mga3.src.rpm
couchdb-1.4.0-2.1.mga4.src.rpm
Comment 2 David Walser 2014-04-21 23:05:08 CEST
There appears to be something wrong with download.opensuse.org, so I had to use Google to find OpenSuSE's SRPMS to get the patches.

Note to QA: see the Novell bug linked in Comment 0 for PoC information.
Comment 3 claire robinson 2014-04-21 23:33:33 CEST
# Exploit Title: Couchdb uuids DOS exploit
# Google Dork inurl: _uuids
# Date: 03/24/2014
# Exploit Author: KrustyHack
# Vendor Homepage: http://couchdb.apache.org/
# Software Link: http://couchdb.apache.org/
# Version: up to 1.5.0
# Tested on: Linux Couchdb up to 1.5.0

HOW TO
======
curl
http://couchdb_target/_uuids?count=99999999999999999999999999999999999999999999999999999999999999999999999

TEST
====
Tested on a 16G RAM Quadcore server. Couchdb dead on 30 seconds with only one
GET request.



http://www.securityfocus.com/bid/66474/info
http://www.exploit-db.com/exploits/32519/
http://secunia.com/advisories/57572
Comment 4 William Kenney 2014-04-22 20:31:16 CEST
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
couchdb + heimdal-telnet

default install of couchdb

[root@localhost wilcal]# urpmi couchdb
Package couchdb-1.2.1-3.mga3.i586 is already installed
[root@localhost wilcal]# urpmi heimdal-telnet
Package heimdal-telnet-1.5.3-1.mga3.i586 is already installed

Test procedure:
http://wiki.apache.org/couchdb/CouchIn15Minutes
Using db name "example" couchdb responds as expected

install couchdb from updates_testing

[root@localhost wilcal]# urpmi couchdb
Package couchdb-1.2.1-3.1.mga3.i586 is already installed
[root@localhost wilcal]# urpmi heimdal-telnet
Package heimdal-telnet-1.5.3-1.mga3.i586 is already installed

Test procedure:
http://wiki.apache.org/couchdb/CouchIn15Minutes
Using db name "example2" couchdb responds as expected

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 5 William Kenney 2014-04-22 21:37:10 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
couchdb + heimdal-telnet

default install of couchdb

[root@localhost wilcal]# urpmi couchdb
Package couchdb-1.2.1-3.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi heimdal-telnet
Package heimdal-telnet-1.5.3-1.mga3.x86_64 is already installed

Test procedure:
http://wiki.apache.org/couchdb/CouchIn15Minutes
Using db name "example1" couchdb responds as expected

install couchdb from updates_testing

[root@localhost wilcal]# urpmi couchdb
Package couchdb-1.2.1-3.1.mga3.x86_64 is already installed
[root@localhost wilcal]# urpmi heimdal-telnet
Package heimdal-telnet-1.5.3-1.mga3.x86_64 is already installed

Test procedure:
http://wiki.apache.org/couchdb/CouchIn15Minutes
Using db name "example2" couchdb responds as expected

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 6 William Kenney 2014-04-22 22:11:54 CEST
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
couchdb + heimdal-telnet

default install of couchdb

[root@localhost wilcal]# urpmi couchdb
Package couchdb-1.4.0-2.mga4.i586 is already installed
[root@localhost wilcal]# urpmi heimdal-telnet
Package heimdal-telnet-1.5.3-4.mga4.i586 is already installed

Test procedure:
http://wiki.apache.org/couchdb/CouchIn15Minutes
As soon as I attempt to access the service at:
http://localhost:5984/_utils/ couchdb stops.
The same if I use: http://127.0.0.1:5984/
I get the Unable to connect browser notice.
MCC -> System - Manage system services
couchdb can be started but stops when accessed.
Started from terminal
service couchdb start
and I get the same thing.

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 7 claire robinson 2014-04-23 15:59:28 CEST
Following procedure here https://bugs.mageia.org/show_bug.cgi?id=8973#c5

Both mga4 32 and 64 both crash when starting manually or as a service.

# su - couchdb
-bash-4.2$ couchdb
{"init terminating in do_boot",{{badmatch,{error,{{app_would_not_start,asn1},{couch_app,start,[normal,["/etc/couchdb/default.ini","/etc/couchdb/local.ini"]]}}}},[{couch,start,0,[{file,"couch.erl"},{line,18}]},{init,start_it,1,[]},{init,start_em,1,[]}]}}

Crash dump was written to: erl_crash.dump
init terminating in do_boot ()


There was a similar issue there which was a missing requires, adding Nicolas to CC.

# rpm -qa erlang*
erlang-inets-R16B02-2.mga4
erlang-tools-R16B02-2.mga4
erlang-base-R16B02-2.mga4
erlang-public_key-R16B02-2.mga4
erlang-crypto-R16B02-2.mga4
erlang-ssl-R16B02-2.mga4
erlang-xmerl-R16B02-2.mga4
erlang-os_mon-R16B02-2.mga4


I'll attach a /var/lib/couchdb/erl_crash.dump
Comment 8 claire robinson 2014-04-23 16:01:49 CEST
Created attachment 5127 [details]
/var/lib/couchdb/erl_crash.dump
Comment 9 claire robinson 2014-04-23 16:02:47 CEST
If necessary we can split the update and push mga3
Comment 10 claire robinson 2014-05-02 17:10:52 CEST
should this be split to allow mga3 to be pushed?
Comment 11 David Walser 2014-05-02 17:22:51 CEST
I don't think we should push a mga3 update before mga4, regardless of the fact that the versions are different.  We could just push it as-is for mga4, as the update isn't any more broken than the release version.  We could add a note to the advisory about it in that case, giving a reference to a new bug that would be filed for the issue and saying it'll hopefully be fixed in a future update.  I think we've done something like that in the past.  In the meantime, we should probably drop this package in Cauldron if nobody's interested in fixing it.
Comment 12 Thomas Backlund 2014-05-02 17:33:57 CEST
Hold off a little, I think I know where it fails, will test the fix.
Comment 13 claire robinson 2014-05-02 17:34:54 CEST
Thanks Thomas
Comment 14 Thomas Backlund 2014-05-02 18:46:09 CEST

couchdb-1.4.0-2.2.mga4 on the way to updates_testing.

it needed erlang-asn1 and erlang-syntax_tools to work.

I pushed the same fix to cauldron
Comment 15 claire robinson 2014-05-03 14:07:13 CEST
Still the same problem unfortunately..

Preparing...                     ##########
      1/3: erlang-syntax_tools   ##########
      2/3: erlang-asn1           ##########
      3/3: couchdb-bin           ##########
      1/1: removing couchdb-bin-1.4.0-2.mga4.x86_64
                                 ##########

# su - couchdb
-bash-4.2$ couchdb
{"init terminating in do_boot",{{badmatch,{error,{{app_would_not_start,compiler},{couch_app,start,[normal,["/etc/couchdb/default.ini","/etc/couchdb/local.ini"]]}}}},[{couch,start,0,[{file,"couch.erl"},{line,18}]},{init,start_it,1,[]},{init,start_em,1,[]}]}}

Crash dump was written to: erl_crash.dump
init terminating in do_boot ()


# service couchdb start
Redirecting to /bin/systemctl start couchdb.service

# service couchdb status
Redirecting to /bin/systemctl status couchdb.service
couchdb.service - CouchDB Server
   Loaded: loaded (/usr/lib/systemd/system/couchdb.service; enabled)
   Active: failed (Result: start-limit) since Sat 2014-05-03 13:04:01 BST; 3s ago
  Process: 25106 ExecStart=/usr/bin/erl +Bd -noinput -sasl errlog_type error +K true +A 4 -couch_ini /etc/couchdb/default.ini /etc/couchdb/local.ini -s couch -pidfile /var/run/couchdb/couchdb.pid -heart (code=exited, status=1/FAILURE)
 Main PID: 25106 (code=exited, status=1/FAILURE)

systemd[1]: couchdb.service: main process exited, code=exited, status=1/FAILURE
systemd[1]: Unit couchdb.service entered failed state.
systemd[1]: couchdb.service holdoff time over, scheduling restart.
systemd[1]: Stopping CouchDB Server...
systemd[1]: Starting CouchDB Server...
systemd[1]: couchdb.service start request repeated too quickly, refusing to start.
systemd[1]: Failed to start CouchDB Server.
systemd[1]: Unit couchdb.service entered failed state.


# rpm -qa | grep couchdb
couchdb-1.4.0-2.2.mga4
couchdb-bin-1.4.0-2.2.mga4
Comment 16 claire robinson 2014-05-03 14:09:19 CEST
Created attachment 5137 [details]
new /var/lib/couchdb/erl_crash.dump
Comment 17 Thomas Backlund 2014-05-03 14:17:40 CEST
Oops, my bad :/

it needs Requires on erlang-compiler too, 
wich is a BuildRequires so I missed it during my tests as it got pulled in when I tested the build :/

A fixed  couchdb-1.4.0-2.3.mga4 is on the way to the mirrors.
Comment 18 claire robinson 2014-05-03 15:02:37 CEST
Fixed \o/ thanks Thomas. Testing complete mga4 64

To satisfy dependencies, the following packages are going to be installed:
  Package                        Version      Release       Arch    
(medium "Core Release")
  erlang-compiler                R16B02       2.mga4        x86_64  
(medium "Core Updates Testing")
  couchdb                        1.4.0        2.3.mga4      x86_64  
  couchdb-bin                    1.4.0        2.3.mga4      x86_64

# su - couchdb 
-bash-4.2$ couchdb
Apache CouchDB 1.4.0 (LogLevel=info) is starting.
Apache CouchDB has started. Time to relax.
[info] [<0.31.0>] Apache CouchDB has started on http://127.0.0.1:5984/
[info] [<0.289.0>] 127.0.0.1 - - GET /_uuids?count=99999999999999999999999999999999999999999999999999999999999999999999999 403


Test PoC and quit with ctrl-c

$ curl http://localhost:5984/_uuids?count=99999999999999999999999999999999999999999999999999999999999999999999999

{"error":"forbidden","reason":"count parameter too large"}


Check service starts ok..

# service couchdb start
Redirecting to /bin/systemctl start couchdb.service

# service couchdb status
Redirecting to /bin/systemctl status couchdb.service
couchdb.service - CouchDB Server
   Loaded: loaded (/usr/lib/systemd/system/couchdb.service; enabled)
   Active: active (running) since Sat 2014-05-03 14:00:40 BST; 2s ago
..etc
Comment 19 claire robinson 2014-05-03 15:11:54 CEST
Testing complete mga4 32

Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks
Comment 20 Thomas Backlund 2014-05-03 18:35:27 CEST
Update pushed:
http://advisories.mageia.org/MGASA-2014-0203.html

Note You need to log in before you can comment on or make changes to this bug.