SB2017112143 - Fedora 27 update for couchdb, erlang-jiffy

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2017-12635)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due differences in the Erlang-based JSON parser and JavaScript-based JSON parser that can lead to submitting "_users" documents with duplicate keys for "roles" used for access control within the database, including the "_admin" role. A remote authenticated user can create a specially crafted document and abuse the JSON parser differences result in behavior for two 'roles' keys within a single document and gain administrative privileges within the database.

2) OS command injection (CVE-ID: CVE-2017-12636)

The vulnerability allows a remote administrative attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can configure the database server via HTTP(S) that include(s) paths for operating system-level binaries that are subsequently launched by CouchDB to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.

Successful exploitation of the vulnerability may result in system compromise.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2017-a20d92573b