Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] ODOO-SA-2018-08-07-11 (CVE-2018-14887) - Improper Host header sanitizati... #32511

Closed
odony opened this issue Apr 8, 2019 · 0 comments
Closed
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Apr 8, 2019

Security Advisory - ODOO-SA-2018-08-07-11

Improper Host header sanitization in the dbfilter routing component in Odoo Community 11.0 and earlier and Odoo Enterprise 11.0 and earlier allows a remote attacker to deny access to the service and to disclose database names via a crafted request.

Affects: Odoo 9.0, 10.0, 11.0 (Community and Enterprise Editions)
Component: Odoo Framework
Credits: Nils Hamerlinck (Trobz)
CVE ID: CVE-2018-14887

I. Background

System administrators can configure a database filter in their Odoo service,
in order to host multiple databases on the same Odoo server, and dynamically
assign each request to the right database.

This is set using the "dbfilter" config parameter, which can use regular
expressions patterns, and placeholders that will be replaced by the domain (%d)
and host (%h) of the request.

II. Problem Description

The placeholders were not properly sanitized before being injected in the
final db_filter expression used for the dynamic assignation.

III. Impact

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Public
CVSS3 Score: Medium :: 6.5
CVSS3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H

If the web server in front of the Odoo service is configured to allow arbitrary
domain names (VHosts), for example with a wildcard expression for subdomains, or
if the Odoo service is directly exposed to the internet, an attacker could craft
a request to cause a malicious db_filter evaluation.

This could be used to trigger:

  • a leak of the names of available databases hosted on the same server, even
    if database listing was disabled by the administrator
  • a denial of service (via a voluntarily inefficient regular expression)

The specific configuration necessary to make this exploitable is considered very
rare and unlikely in practice.

Odoo S.A. is not aware of any malicious use of this vulnerability.

IV. Workaround

Only systems relying on db_filter with a %d or %h placeholder and a wildcard
virtual host in their web server (or directly exposing the Odoo service) are
vulnerable.

If that is your case, a workaround is to make sure you have properly setup a
web server in front of Odoo (e.g. nginx or Apache), and remove any wildcard
expression from virtual hosts configured in the web server. You can replace
those expressions with fixed host names, or with stricter expressions that only
allows alphanumeric characters.

Odoo Cloud servers were never vulnerable to this, as they do not use db_filter.

V. Solution

Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download

For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html

If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:

   patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected:

  • 9.0: afde870
  • 10.0: 4e4dd4d
  • 11.0: 6d83f70
  • 11.0-ent, 10.0-ent and 9.0 (Enterprise): see 11.0, 10.0 and 9.0.
@odony odony added the Security security announcements label Apr 8, 2019
@odony odony closed this as completed Apr 8, 2019
@odoo odoo locked and limited conversation to collaborators Apr 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Security security announcements
Projects
None yet
Development

No branches or pull requests

1 participant