CVE-2022-24706: Apache CouchDB Remote Code Execution Vulnerability
CouchDB is a database that completely embraces the web. Store your data with JSON documents. Access your documents with your web browser, via HTTP. Query, combine and transform your documents with JavaScript. CouchDB works well with modern web and mobile apps. You can distribute your data, efficiently using CouchDB’s incremental replication. CouchDB supports master-master setups with automatic conflict detection.
Vulnerability Detail
1. CouchDB opens a random network port, bound to all available interfaces in anticipation of clustered operation and/or runtime introspection. A utility process called `epmd` advertises that random port to the network.
`epmd` itself listens on a fixed port.
2. CouchDB packaging previously chose a default `cookie` value for single-node as well as clustered installations. That cookie authenticates any communication between Erlang nodes.
Affected version
- Apache CouchDB < 3.2.2
- Apache CouchDB >= 3.2.2
Solution
In this regard, we recommend that users upgrade Apache CouchDB to the latest version in time to fix CVE-2022-24706. Also, you can follow the mitigation method below:
-
Set up a firewall before installing CouchDB. The full CouchDB api is available on the registered port “5984”, which is the only port that needs to be exposed for single-node installations. Installations that do not expose the separate distribution port to external access are not vulnerable.
-
Force modification of default Erlang cookie values in CouchDB 3.2.2 and later and bind all CouchDB distribution ports to local IP addresses