Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system.
Affects: Odoo 11.0 and earlier (Community and Enterprise Editions) Component: Odoo Framework Credits: <Undisclosed> CVE ID: CVE-2018-14859
I. Background
Odoo includes a sandbox for interpreting dynamic business logic components,
such as the definition of workflows, automated actions, or the dynamic
expressions used within report templates.
The mechanism behind this sandbox is called 'safe eval' and keeps the system
safe while allowing advanced customizations. Its role is to execute
user-provided Odoo business logic, while preventing any undesired
effects on the data or the hosting platform - such as could be caused
by accident or by malicious users.
In order to be allowed to customize any of these dynamic business logic
components, one must usually be an administrator of an Odoo database,
or have otherwise received elevated privileges.
II. Problem Description
The default 'safe eval' sandbox environment was not sufficiently sanitized,
so an attacker with sufficient privileges might be able to escape the sandbox
through the use of specially crafted dynamic expressions.
Systems who host Odoo databases for untrusted users are particularly at risk,
(e.g. SaaS platforms), as they typically allow users to become administrators
of their own Odoo database. This is sufficient to exploit the vulnerability.
III. Impact
Access Vector: Network exploitable
Access Complexity: Medium Authentication: Privileged user account required CVSS3 Score: Critical :: 9.1 CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Malicious users with access to an administrator account on an Odoo database
might craft special code expressions specifically targeted at escaping
the sandbox protection.
This could in turn be used to execute arbitrary code as the user running
the Odoo service, to launch system commands with access to local files and
local services.
Files and environments accessed in this manner may contain sensitive
information such as passwords that could also allow the user to gain elevated
privileges on the hosting machine itself, in addition to being able to run
commands.
Exploiting this vulnerability requires remote network access and
administrator (or privileged) account on a database hosted on a vulnerable
Odoo installation.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, but systems that do not provide administrator
or otherwise privileged access to untrusted users are not vulnerable.
All Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-08-07-5
Improper sanitization of dynamic user expressions in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows authenticated privileged users to escape from the dynamic expression sandbox and execute arbitrary code on the hosting system.
Affects: Odoo 11.0 and earlier (Community and Enterprise Editions)
Component: Odoo Framework
Credits: <Undisclosed>
CVE ID: CVE-2018-14859
I. Background
Odoo includes a sandbox for interpreting dynamic business logic components,
such as the definition of workflows, automated actions, or the dynamic
expressions used within report templates.
The mechanism behind this sandbox is called 'safe eval' and keeps the system
safe while allowing advanced customizations. Its role is to execute
user-provided Odoo business logic, while preventing any undesired
effects on the data or the hosting platform - such as could be caused
by accident or by malicious users.
In order to be allowed to customize any of these dynamic business logic
components, one must usually be an administrator of an Odoo database,
or have otherwise received elevated privileges.
II. Problem Description
The default 'safe eval' sandbox environment was not sufficiently sanitized,
so an attacker with sufficient privileges might be able to escape the sandbox
through the use of specially crafted dynamic expressions.
Systems who host Odoo databases for untrusted users are particularly at risk,
(e.g. SaaS platforms), as they typically allow users to become administrators
of their own Odoo database. This is sufficient to exploit the vulnerability.
III. Impact
Access Vector: Network exploitable
Access Complexity: Medium
Authentication: Privileged user account required
CVSS3 Score: Critical :: 9.1
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Malicious users with access to an administrator account on an Odoo database
might craft special code expressions specifically targeted at escaping
the sandbox protection.
This could in turn be used to execute arbitrary code as the user running
the Odoo service, to launch system commands with access to local files and
local services.
Files and environments accessed in this manner may contain sensitive
information such as passwords that could also allow the user to gain elevated
privileges on the hosting machine itself, in addition to being able to run
commands.
Exploiting this vulnerability requires remote network access and
administrator (or privileged) account on a database hosted on a vulnerable
Odoo installation.
Odoo S.A. is not aware of any use of this vulnerability in the wild.
IV. Workaround
No workaround is available, but systems that do not provide administrator
or otherwise privileged access to untrusted users are not vulnerable.
All Odoo Online servers have been patched as soon as the correction was
available.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: