Apache CouchDB Fixes Holes

Tuesday, January 15, 2013 @ 05:01 PM gHale


Apache’s CouchDB project, 1.0.4, 1.1.2 and 1.2.1, fixed vulnerabilities in the NoSQL database.

All versions, 1.0.3, 1.1.1 and 1.2.0 and earlier suffer from the vulnerabilities. The updates are the first release from the project since 1.2.0 came out last April. CouchDB 1.3 is in development and should come out shortly.

RELATED STORIES
Sybase Fixes Database Holes
Linksys Router Zero Day
FBI: Backdoor Free for Hackers
Routers Hacked via Email

A cross site scripting issue (CVE-2012-5650) affects CouchDB’s Futon UI in code from the test suite; removal of the test suite components or disabling the Futon UI can be a temporary workaround. On Windows, another issue exists (CVE-2012-5641) which allows requests to access content directly if an attacker uses specially crafted requests that include unescaped backslashes in the request. This includes the _users and _replication databases and it is possible to retrieve arbitrary files on the local filesystem.

The problem is apparently due to a bug in the MochiWeb HTTP library, which ended up fixed upstream. A final issue (CVE-2012-5649) affects users who have enabled JSONP support as it could allow code to execute on the client browsers by using a crafted JSONP request and callback.

The releases also contain a number of other fixes and enhancements to the Apache-licensed NoSQL document database. The 1.2.1 release is available from the main CouchDB page; 1.0.4 and 1.1.2 are available from Apache mirror sites.



Leave a Reply

You must be logged in to post a comment.