IBM Support

How to protect yourself from security vulnerabilities in CouchDB

Troubleshooting


Problem

You may be aware of recently published details about security vulnerabilities in CouchDB. You can see CouchDB's annoucement here, https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-c…. Cloudant packages CouchDB for its on-premises version - Cloudant Local. We are in the process of creating a patch for Cloudant Local. The patch will be made available through the usual channels.

Resolving The Problem

Follow these steps to ensure you are protected from the vulnerability. If you need any clarification, reach out to your usual support channels.

1. Ensure that the two standard admin passwords for the installation (one server admin password, one administrator password for the _users database) are strong passwords and not the default. See steps 1 and 2 below.

2. You must only grant server _admin permissions to users who are also granted root privileges on the servers running Cloudant Local. See step 3 below.

Follow these steps to protect your environment.

1. Set the server admin password.

  • Run the following command:

    curl -u admin:pass     http://hostname/_all_dbs 

    If this command succeeds, you must reset the admin password to a secure password.
  • If you have Cloudant Local 1.1.0, you should update the "admin" and "cloudant" admin user passwords (which are weak by default) by entering remsh and typing:

    •      cloudant_local_util:set_cluster_admin_password("admin",
           "STRONGADMINPASSWORD").

         cloudant_local_util:set_cluster_admin_password("cloudant",
           "STRONGADMINPASSWORD").

    You should make sure that both admin users, "admin" and "cloudant", have strong passwords.
  • If you are using a previous version, you can enter a remsh, and paste the following code into the shell:
      • _retry_until = fun _retry_until(Generator, Condition, SleepMS, MaxIters, Iter) when Iter =< MaxIters -> Val = Generator(), case Condition(Val) of ok -> Val; --> - timer:sleep(SleepMS), _retry_until(Generator, Condition, SleepMS, MaxIters, Iter + 1) end
      end.

      _set_cluster_admin_password = fun(Username, Password) -> Section = "admins", ok = config:set(Section, Username, Password), Generator = fun() -> config:get(Section, Username) end, Condition = fun (P) when P =:= Password -> unhashed; (_) -> ok
      end,
      HashedPassword = _retry_until(Generator, Condition, 1, 10, 0), {Results, []} = rpc:multicall(config, set, [Section, Username, HashedPassword]), true = lists:all(fun(ok) -> true end, Results), {Passwords, []} = rpc:multicall(config, get, [Section, Username]), true = lists:all(fun(P) -> P =:= HashedPassword end, Passwords),
      ok
      end.

      _set_cluster_admin_password("admin", "STRONGADMINPASSWORD").

      _set_cluster_admin_password("cloudant", "STRONGADMINPASSWORD").

2. Update the usersadmin password:
      curl -X GET http://localhost:5984/_users/org.couchdb.user:usersadmin -u admin
      { "_id": "org.couchdb.user:usersadmin",
      "_rev": "1-e0ebfb84005b920488fc7a8cc5470cc0",
      "derived_key": "e579375db0e0c6a6fc79cd9e36a36859f71575c3", "iterations": 10,
      "name": "usersadmin",
      "password_scheme": "pbkdf2",
      "roles": [],
      "salt": "1112283cf988a34f124200a050d308a1",
      "type": "admin"
      }
Use the _rev from that document to update the password by running the following command:

    curl -u admin:STRONGADMINPASSWORD https://hostname/_users/org.couchdb.user:usersadmin \

    -H "Accept: application/json"

    -H "Content-Type: application/json"

    -d '{"_rev":"1-46a53b805df5db787145d5a0586568a2","type":"user","name":"usersadmin","password"

    : "STRONGADMINPASSWORD"}'


See the CouchDB documentation for more details, http://docs.couchdb.org/en/2.0.0/intro/security.html#password-changing.

3. Check who is a server admin by starting a remsh on a database node and following this step:

    [root@db1 ~]# remsh
    Erlang/OTP 17 [erts-6.4] [source-2e19e2f] [64-bit] [async-threads:10] [hipe] [kernel-poll:false]
    Eshell V6.4 (abort with ^G)
    (cluster@db1.el6.user)1> config:get("admins").

    You should assume users in that list are capable of gaining root privileges on the cluster. If you would not grant them root privileges, then you ought to remove the user from the admins list as follows:

    rpc:multicall(config, delete, ["admins", "ADMIN_TO_BE_REMOVED"]).

[{"Product":{"code":"SSTPQH","label":"IBM Cloudant Data Layer Local Edition"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"1.0.0;1.1.0","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg22010615

Page Feedback