Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] ODOO-SA-2018-08-07-12 (CVE-2018-14885) - Incorrect access control in the... #32512

Closed
odony opened this issue Apr 8, 2019 · 0 comments
Closed
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Apr 8, 2019

Security Advisory - ODOO-SA-2018-08-07-12

Incorrect access control in the database manager component in Odoo Community 10.0 and 11.0 and Odoo Enterprise 10.0 and 11.0 allows a remote attacker to restore a database dump without knowing the super-admin password. An arbitrary password succeeds.

Affects: Odoo 10.0, 11.0 (Community and Enterprise Editions)
Component: Database Manager
Credits: Yenthe Van Ginneken and Erwin van der Ploeg (Odoo Experts)
CVE ID: CVE-2018-14885

I. Background

Odoo provides an interface to manage databases, and create, backup and restore
databases, in order to ease testing and development tasks.

Access to these sensitive operations is normally protected by a super-admin
password, chosen by the system administrator.

II. Problem Description

A programming error in the database restore feature rendered the super-admin
password protection ineffective.

III. Impact

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Public
CVSS3 Score: High :: 8.2
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

When the database manager screen is not deactivated, an attacker could restore
a database backup without knowning the super-admin password. This would allow
the injection of data, and the execution of requests on the server with
local database administration privileges.

On a properly configured server, this could degrade the performance
of the targeted server without gaining any access on the other databases
on the server.

Odoo S.A. is not aware of any malicious use of this vulnerability.

IV. Workaround

Only servers with the database manager enabled are vulnerable to this issue.
On production servers, deactivating the database manager will prevent attackers
from abusing the issue, and is strongly recommended.
See also the Odoo Deployment Guide:
https://www.odoo.com/documentation/11.0/setup/deploy.html

Revoking database creation rights for the PostgreSQL user configured for the
Odoo service will also prevent the attack.

Odoo Cloud servers are not vulnerable to this issue, because the database
manager is not enabled.

V. Solution

Apply the patches corresponding to your Odoo installation, or update to
the latest revision, either via GitHub or by downloading it:
https://www.odoo.com/page/download

For the actual update procedure, please refer to our update instructions, valid
for all versions:
https://www.odoo.com/documentation/11.0/setup/update.html

If you choose to apply the patch instead, change into the main directory of
your Odoo installation (the one containing "odoo" and "addons" directories),
then execute the patch command, typically:

   patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected:

  • 10.0: b020308
  • 11.0: 5decf4a
  • 11.0-ent and 10.0-ent (Enterprise): see 11.0 and 10.0.

The version 9.0 is not impacted by this vulnerability.

@odony odony added the Security security announcements label Apr 8, 2019
@odony odony closed this as completed Apr 8, 2019
@odoo odoo locked and limited conversation to collaborators Apr 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Security security announcements
Projects
None yet
Development

No branches or pull requests

1 participant