Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] OCA-2018-08-08-1 - Denial of Service via dbfilter_from_header #1335

Closed
nilshamerlinck opened this issue Aug 8, 2018 · 2 comments

Comments

@nilshamerlinck
Copy link
Contributor

commented Aug 8, 2018

Security Advisory (OCA-2018-08-08-1)

Denial of Service via dbfilter_from_header

Affects: Odoo 8.0, 9.0, 10.0, 11.0 servers:

  • having dbfilter_from_header module available in the addons path
  • being directly accessible OR missing the expected configuration at the reverse proxy level (nginx)

Credits: Nils Hamerlinck (Trobz)
CVE-ID: CVE-2018-14733

I. Background

dbfilter_from_header module from OCA's server-tools repository allows to take into account a specific HTTP header in the request (X-Odoo-dbfilter or X-Openerp-dbfilter, depending on the version) to define the dbfilter applying to the instance.

This is useful when you have one instance with multiple databases whose names don't match with the target domain names.

II. Problem Description

In a normal use case this HTTP header is set by the system administrator at the reverse proxy level (nginx); module is added to the server_wide_modules config parameter and installed.

But the module contains a static/ directory, which had the unexpected effect of trigerring its inconditional loading, even when not intended to be used: not added to the server_wide_modules nor installed.

III. Impact

Attack Vector: Network exploitable
Authentication: Not Required
CVSS3 Score: High :: 7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C

So by just having it available in its addons path, the instance would load dbfilter_from_header.

An attacker could define a X-Odoo-dbfilter / X-Openerp-dbfilter header that would be evaluated as the db_filter regular expression.

By crafting a voluntarily inefficient regular expression, he could lead Odoo to DoS (aka "ReDoS"):

  • in threaded mode, with one request;
  • in multi-workers mode, with one request per worker (that would process until limit_time_cpu).

IV. Workaround

  • If your Odoo server is accessible directly without any reverse proxy, there is no workaround. Note that using a reverse proxy is highly recommended for security but also performances reasons.
  • If your Odoo server is running behind a reverse proxy, configure it at least to set the X-Odoo-dbfilter header to .* (or any relevant stricter regex for the concerned host):
    • nginx: proxy_set_header X-Odoo-dbfilter ^.*\Z;
    • others: see here

V. Solution

  • Update dbfilter_from_header source code.
  • If you intend to use this module in a deployment, make sure that:
    • proxy mode is enabled in Odoo's configuration file: proxy_mode = True
    • a X-Odoo-dbfilter header is properly defined at reverse proxy level
    • module is added to server_wide_modules

VI. Correction details

The following list contains the revisions after which the vulnerability is corrected:

@nilshamerlinck nilshamerlinck changed the title [SEC] OCA-2018-08-08-1 - Denial of Service via `dbfilter_from_header` [SEC] OCA-2018-08-08-1 - Denial of Service via dbfilter_from_header Aug 8, 2018

@moylop260

This comment has been minimized.

Copy link
Contributor

commented Aug 10, 2018

Hi @nilshamerlinck
Thanks for fixing and advice us.

IMHO another issue is to apply monkey patch if the module is not installed.
I have fixed this one in the following PR:

Could you check it, please?

moylop260 added a commit to vauxoo-dev/maintainer-tools that referenced this issue Aug 10, 2018

[REF] CONTRIBUTING: Consider post_load for monkey patches
See example OCA/server-tools#1340
Continuation from OCA#196

Reduce the risks about issues related like: OCA/server-tools#1335
@moylop260

This comment has been minimized.

Copy link
Contributor

commented Aug 10, 2018

We need consider these kind of cases for our guidelines:

trobz-git-mirror pushed a commit to trobz/odoo-production that referenced this issue Nov 12, 2018

trobz-git-mirror pushed a commit to trobz/odoo-production that referenced this issue Nov 12, 2018

Merge branch 'SEC-OCA-2018-08-08-1' into '20180817'
[SEC] update security for OCA/server-tools#1335

See merge request project/lalouve!638

bodedra added a commit to ursais/maintainer-tools that referenced this issue Dec 1, 2018

[REF] CONTRIBUTING: Consider post_load for monkey patches
See example OCA/server-tools#1340
Continuation from OCA#196

Reduce the risks about issues related like: OCA/server-tools#1335

bodedra added a commit to ursais/maintainer-tools that referenced this issue Jan 10, 2019

[REF] CONTRIBUTING: Consider post_load for monkey patches
See example OCA/server-tools#1340
Continuation from OCA#196

Reduce the risks about issues related like: OCA/server-tools#1335
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.