Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-30920

Limit dangerous diagnostic endpoints to be used from localhost only

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 4.0.0, 4.1.2, 4.5.1, 5.0.0, 4.6.5, 5.0.1, 5.1.1, 5.5.0, 5.5.1
    • Fix Version/s: 6.5.0, 6.0.0, 5.5.2
    • Component/s: ns_server
    • Security Level: Public
    • Triage:
      Untriaged
    • Is this a Regression?:
      Unknown
    • Release Notes:
    • CVE ID:
      CVE-2018-15728
    • CVSS/Severity:
      High

      Description

       

      Issue Status (Last updated: 05/16/2019)

       

      Publish date: October 2018  

      Issue Summary: /diag/eval endpoint is not locked down to localhost

      CVSS/Severity:  8.8=High 

      Description:  Couchbase Server exposes '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned can send arbitrary Erlang code to 'diag/eval' endpoint of the API. The code will be subsequently executed in the underlying operating system with privileges of the user which was used to start Couchbase.

      Affected Products: Couchbase Server - Cluster Manager

      Recognition: Apple Security Team

       

       

      Limit diagnostic endpoints (at least everything like /diag/eval) to be used only from localhost only.

      Note that this endpoint is authenticated and requires the highest privileges in the system (Full Admin.) So, it's already the case that a user that can access this endpoint can already steal / delete/ corrupt all the data in the system. Customers can mitigate this issue by tightly controlling access to full administrative privileges.

      CVE link: https://nvd.nist.gov/vuln/detail/CVE-2018-15728.

        Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

          Hide
          build-team Couchbase Build Team added a comment -

          Build couchbase-server-6.0.1-1951 contains ns_server commit 52667f2 with commit message:
          MB-30920: Make diag/eval bound to localhost

          Show
          build-team Couchbase Build Team added a comment - Build couchbase-server-6.0.1-1951 contains ns_server commit 52667f2 with commit message: MB-30920 : Make diag/eval bound to localhost
          Hide
          build-team Couchbase Build Team added a comment -

          Build couchbase-server-6.5.0-1503 contains ns_server commit a7c8f56 with commit message:
          Merge remote-tracking branch 'couchbase/alice'.

          Show
          build-team Couchbase Build Team added a comment - Build couchbase-server-6.5.0-1503 contains ns_server commit a7c8f56 with commit message: Merge remote-tracking branch 'couchbase/alice'.
          Hide
          build-team Couchbase Build Team added a comment -

          Build couchbase-server-6.5.0-1503 contains ns_server commit 3041e5b with commit message:
          MB-31558: Merge remote-tracking branch vulcan.

          Show
          build-team Couchbase Build Team added a comment - Build couchbase-server-6.5.0-1503 contains ns_server commit 3041e5b with commit message: MB-31558 : Merge remote-tracking branch vulcan.
          Hide
          build-team Couchbase Build Team added a comment -

          Build couchbase-server-6.5.0-1503 contains ns_server commit 52667f2 with commit message:
          MB-30920: Make diag/eval bound to localhost

          Show
          build-team Couchbase Build Team added a comment - Build couchbase-server-6.5.0-1503 contains ns_server commit 52667f2 with commit message: MB-30920 : Make diag/eval bound to localhost
          Hide
          lynn.straus Lynn Straus added a comment -

          Reopened to add CVE, CVSS and Security Vulnerability publication template.  The information in the template will be made public on our website.

          Show
          lynn.straus Lynn Straus added a comment - Reopened to add CVE, CVSS and Security Vulnerability publication template.  The information in the template will be made public on our website.

            People

            Assignee:
            lynn.straus Lynn Straus
            Reporter:
            timofey.barmin Timofey Barmin
            Votes:
            1 Vote for this issue
            Watchers:
            26 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                PagerDuty