Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] ODOO-SA-2018-08-07-1 (CVE-2018-14865) - Report engine in Odoo Community... #32501

Closed
odony opened this issue Apr 8, 2019 · 0 comments
Closed
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Apr 8, 2019

Security Advisory - ODOO-SA-2018-08-07-1

Report engine in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier does not use secure options when passing documents to wkhtmltopdf, which allows remote attackers to read local files.

Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions)
Component: Core
Credits: Nils Hamerlinck (Trobz)
CVE ID: CVE-2018-14865

I. Background

Odoo's report engine relies on the external program "wkhtmltopdf" to generate PDF
documents from HTML files rendered from report templates. Wkhtmltopdf supports
loading remote resources such as images or stylesheets, but also permits loading
local files.

II. Problem Description

The report engine does not prevent access to local files during rendering by
Wkhtmltopdf.

III. Impact

Attack Vector: Network exploitable
Authentication: Unprivileged user account required
CVSS3 Score: High :: 7.7
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Untrusted administrators on hosted databases may alter their report templates
in order to trick the report engine into including local server files.

External non-privileged users may also be able to trick the report engine into
including local files, by crafting malicious RPC requests.

Both methods could result in the disclosure of system files that are readable
by the Odoo server process, including Odoo configuration files or other
system files that could possibly include passwords or sensitive data.

Odoo S.A. is not aware of any use of this vulnerability in the wild.

IV. Workaround

Attackers exploiting this vulnerability can only access files readable
by the Odoo server process. Sensitive files might therefore be
protected by using filesystem-level permissions. However, it is very hard to
effectively secure a system in this manner, so applying the patch or updating
your installation is strongly recommended instead.

Alternatively, the wkhtmltopdf executable could be replaced by a command
script that executes the actual wkhtmltopdf command with an extra parameter
"--disable-local-file-access".

Odoo Online servers have been patched as soon as the correction was
available.

V. Solution

Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download

For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html

If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:

   patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected:

  • 9.0: d5efba2
  • 10.0: dae2822
  • 11.0: d255628
  • 11.0-ent, 10.0-ent and 9.0-ent (Enterprise): see 11.0, 10.0 and 9.0.
@odony odony added the Security security announcements label Apr 8, 2019
@odony odony closed this as completed Apr 8, 2019
@odoo odoo locked and limited conversation to collaborators Apr 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Security security announcements
Projects
None yet
Development

No branches or pull requests

1 participant