Apache CouchDB CVE-2017-12635 and CVE-2017-12636
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
couchdb (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
The installed CouchDB 1.5.0 in Ubuntu 14.04 LTS is vulnerable to the Attacks as described in https:/
This is a critical flaw combination that allows anyone with access to the couchdb service over the network to create an admin user and start arbitrary processes on the server. And this flaw is actually being used to start "xmrig" Processes for monero mining by attackers in the wild.
lsb_release -rd
Description: Ubuntu 14.04.5 LTS
Release: 14.04
apt-cache policy couchdb
couchdb:
Installiert: 1.5.0-0ubuntu1
Installations
Versionstabelle:
*** 1.5.0-0ubuntu1 0
500 http://
100 /var/lib/
(It will surely be the same for the 1.6.x Packages that are included in Xenial (16.04) as well.)
information type: | Private Security → Public Security |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res