OrientDB Flaws Fixed
Tuesday, September 8, 2015 @ 05:09 PM gHale
Three vulnerabilities ended up fixed in the free version (Community Edition) of the OrientDB database management system.
Officials addressed the flaws with the release of versions 2.1.1 and 2.0.15.
OrientDB is an open source NoSQL database management system developed by Orient Technologies. According to the developer, users download OrientDB more than 60,000 times per month, and over 100 enterprises and thousands of users partake in the product. Statistics from DB-Engines show OrientDB is the 52nd most popular database, and the second most popular multi-model database.
An advisory published by CERT said OrientDB has flaws that could allow an attacker to carry out actions with the victim’s privileges and gain administrative access to databases.
The first vulnerability detailed in the advisory is a cross-site request forgery (CSRF) affecting Studio, the web interface designed for the administration of OrientDB.
The security hole could allow an attacker to perform actions with the privileges of a targeted user. For the attack to work, the attacker needs to convince a logged-in user to execute a maliciously crafted request.
Researchers tested this vulnerability in the version of Studio bundled with OrientDB 2.0.3, but other older versions may also suffer from the issue, CERT said.
The second issue is a use of insufficiently random values when generating session IDs (CVE-2015-2913). The problem exists in the java.util.Random Java library utilized to generate random numbers in OrientDB prior to version 2.1.0. The class is not good enough for security-related tasks, allowing a potential attacker to predict values of the session ID and manipulate it to gain administrative privileges to the database.
Another flaw found in OrientDB relates to improper input validation (CVE-2015-2918). Since Studio doesn’t enforce the same-origin policy (SOP) by default in the X-Frame-Options header, a malicious actor can create specially crafted pages and launch clickjacking attacks.
According to CERT, the insufficiently random value and CSRF vulnerabilities ended up addressed with the release of versions 2.0.15 and 2.1.1 in August. The CSRF bug ended up patched by disabling JSONP by default, while the generation of random numbers now ends up handled by using the java.security.SecureRandom class.
Clickjacking attacks can end up prevented by setting the value of the X-Frame-Options response header to “DENY.”
Attacks leveraging vulnerabilities in Studio can also end up mitigated by disabling the web interface if not needed.