Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to restore a database dump without knowing the super-admin password. An arbitrary password succeeds.
Affects: Odoo 10.0, 11.0 (Community and Enterprise Editions) Component: Database Manager Credits: Yenthe Van Ginneken and Erwin van der Ploeg (Odoo Experts) CVE ID: CVE-2018-14885
I. Background
Odoo provides an interface to manage databases, and create, backup and restore
databases, in order to ease testing and development tasks.
Access to these sensitive operations is normally protected by a super-admin
password, chosen by the system administrator.
II. Problem Description
A programming error in the database restore feature rendered the super-admin
password protection ineffective.
When the database manager screen is not deactivated, an attacker could restore
a database backup without knowning the super-admin password. This would allow
the injection of data, and the execution of requests on the server with
local database administration privileges.
On a properly configured server, this could degrade the performance
of the targeted server without gaining any access on the other databases
on the server.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
Only servers with the database manager enabled are vulnerable to this issue.
On production servers, deactivating the database manager will prevent attackers
from abusing the issue, and is strongly recommended.
See also the Odoo Deployment Guide: https://www.odoo.com/documentation/11.0/setup/deploy.html
Revoking database creation rights for the PostgreSQL user configured for the
Odoo service will also prevent the attack.
Odoo Cloud servers are not vulnerable to this issue, because the database
manager is not enabled.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it: https://www.odoo.com/page/download
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - ODOO-SA-2018-08-07-12
Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to restore a database dump without knowing the super-admin password. An arbitrary password succeeds.
Affects: Odoo 10.0, 11.0 (Community and Enterprise Editions)
Component: Database Manager
Credits: Yenthe Van Ginneken and Erwin van der Ploeg (Odoo Experts)
CVE ID: CVE-2018-14885
I. Background
Odoo provides an interface to manage databases, and create, backup and restore
databases, in order to ease testing and development tasks.
Access to these sensitive operations is normally protected by a super-admin
password, chosen by the system administrator.
II. Problem Description
A programming error in the database restore feature rendered the super-admin
password protection ineffective.
III. Impact
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Public
CVSS3 Score: High :: 8.2
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
When the database manager screen is not deactivated, an attacker could restore
a database backup without knowning the super-admin password. This would allow
the injection of data, and the execution of requests on the server with
local database administration privileges.
On a properly configured server, this could degrade the performance
of the targeted server without gaining any access on the other databases
on the server.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
Only servers with the database manager enabled are vulnerable to this issue.
On production servers, deactivating the database manager will prevent attackers
from abusing the issue, and is strongly recommended.
See also the Odoo Deployment Guide:
https://www.odoo.com/documentation/11.0/setup/deploy.html
Revoking database creation rights for the PostgreSQL user configured for the
Odoo service will also prevent the attack.
Odoo Cloud servers are not vulnerable to this issue, because the database
manager is not enabled.
V. Solution
Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download
For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html
If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The version 9.0 is not impacted by this vulnerability.
The text was updated successfully, but these errors were encountered: