Improper Host header sanitization in the dbfilter routing component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows a remote attacker to deny access to the service and to disclose database names via a crafted request.
Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions) Component: Odoo Framework Credits: Nils Hamerlinck (Trobz) CVE ID: CVE-2018-14887
I. Background
System administrators can configure a database filter in their Odoo service,
in order to host multiple databases on the same Odoo server, and dynamically
assign each request to the right database.
This is set using the "dbfilter" config parameter, which can use regular
expressions patterns, and placeholders that will be replaced by the domain (%d)
and host (%h) of the request.
II. Problem Description
The placeholders were not properly sanitized before being injected in the
final db_filter expression used for the dynamic assignation.
If the web server in front of the Odoo service is configured to allow arbitrary
domain names (VHosts), for example with a wildcard expression for subdomains, or
if the Odoo service is directly exposed to the internet, an attacker could craft
a request to cause a malicious db_filter evaluation.
This could be used to trigger:
a leak of the names of available databases hosted on the same server, even
if database listing was disabled by the administrator
a denial of service (via a voluntarily inefficient regular expression)
The specific configuration necessary to make this exploitable is considered very
rare and unlikely in practice.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
Only systems relying on db_filter with a %d or %h placeholder and a wildcard
virtual host in their web server (or directly exposing the Odoo service) are
vulnerable.
If that is your case, a workaround is to make sure you have properly setup a
web server in front of Odoo (e.g. nginx or Apache), and remove any wildcard
expression from virtual hosts configured in the web server. You can replace
those expressions with fixed host names, or with stricter expressions that only
allows alphanumeric characters.
Odoo Cloud servers were never vulnerable to this, as they do not use db_filter.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-08-07-11
Improper Host header sanitization in the dbfilter routing component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows a remote attacker to deny access to the service and to disclose database names via a crafted request.
Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions)
Component: Odoo Framework
Credits: Nils Hamerlinck (Trobz)
CVE ID: CVE-2018-14887
I. Background
System administrators can configure a database filter in their Odoo service,
in order to host multiple databases on the same Odoo server, and dynamically
assign each request to the right database.
This is set using the "dbfilter" config parameter, which can use regular
expressions patterns, and placeholders that will be replaced by the domain (%d)
and host (%h) of the request.
II. Problem Description
The placeholders were not properly sanitized before being injected in the
final db_filter expression used for the dynamic assignation.
III. Impact
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Public
CVSS3 Score: Medium :: 6.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H
If the web server in front of the Odoo service is configured to allow arbitrary
domain names (VHosts), for example with a wildcard expression for subdomains, or
if the Odoo service is directly exposed to the internet, an attacker could craft
a request to cause a malicious db_filter evaluation.
This could be used to trigger:
if database listing was disabled by the administrator
The specific configuration necessary to make this exploitable is considered very
rare and unlikely in practice.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
Only systems relying on db_filter with a %d or %h placeholder and a wildcard
virtual host in their web server (or directly exposing the Odoo service) are
vulnerable.
If that is your case, a workaround is to make sure you have properly setup a
web server in front of Odoo (e.g. nginx or Apache), and remove any wildcard
expression from virtual hosts configured in the web server. You can replace
those expressions with fixed host names, or with stricter expressions that only
allows alphanumeric characters.
Odoo Cloud servers were never vulnerable to this, as they do not use db_filter.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: