Report engine in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not use secure options when passing documents to wkhtmltopdf, which allows remote attackers to read local files.
Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions) Component: Core Credits: Nils Hamerlinck (Trobz) CVE ID: CVE-2018-14865
I. Background
Odoo's report engine relies on the external program "wkhtmltopdf" to generate PDF
documents from HTML files rendered from report templates. Wkhtmltopdf supports
loading remote resources such as images or stylesheets, but also permits loading
local files.
II. Problem Description
The report engine does not prevent access to local files during rendering by
Wkhtmltopdf.
Untrusted administrators on hosted databases may alter their report templates
in order to trick the report engine into including local server files.
External non-privileged users may also be able to trick the report engine into
including local files, by crafting malicious RPC requests.
Both methods could result in the disclosure of system files that are readable
by the Odoo server process, including Odoo configuration files or other
system files that could possibly include passwords or sensitive data.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
Attackers exploiting this vulnerability can only access files readable
by the Odoo server process. Sensitive files might therefore be
protected by using filesystem-level permissions. However, it is very hard to
effectively secure a system in this manner, so applying the patch or updating
your installation is strongly recommended instead.
Alternatively, the wkhtmltopdf executable could be replaced by a command
script that executes the actual wkhtmltopdf command with an extra parameter
"--disable-local-file-access".
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-08-07-1
Report engine in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not use secure options when passing documents to wkhtmltopdf, which allows remote attackers to read local files.
Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions)
Component: Core
Credits: Nils Hamerlinck (Trobz)
CVE ID: CVE-2018-14865
I. Background
Odoo's report engine relies on the external program "wkhtmltopdf" to generate PDF
documents from HTML files rendered from report templates. Wkhtmltopdf supports
loading remote resources such as images or stylesheets, but also permits loading
local files.
II. Problem Description
The report engine does not prevent access to local files during rendering by
Wkhtmltopdf.
III. Impact
Attack Vector: Network exploitable
Authentication: Unprivileged user account required
CVSS3 Score: High :: 7.7
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Untrusted administrators on hosted databases may alter their report templates
in order to trick the report engine into including local server files.
External non-privileged users may also be able to trick the report engine into
including local files, by crafting malicious RPC requests.
Both methods could result in the disclosure of system files that are readable
by the Odoo server process, including Odoo configuration files or other
system files that could possibly include passwords or sensitive data.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
Attackers exploiting this vulnerability can only access files readable
by the Odoo server process. Sensitive files might therefore be
protected by using filesystem-level permissions. However, it is very hard to
effectively secure a system in this manner, so applying the patch or updating
your installation is strongly recommended instead.
Alternatively, the wkhtmltopdf executable could be replaced by a command
script that executes the actual wkhtmltopdf command with an extra parameter
"--disable-local-file-access".
Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: