Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SEC] CVE-2018-15632 - Affects: Odoo 11.0 and earlier (Community an... #63700

Closed
odony opened this issue Dec 22, 2020 · 0 comments
Closed

[SEC] CVE-2018-15632 - Affects: Odoo 11.0 and earlier (Community an... #63700

odony opened this issue Dec 22, 2020 · 0 comments
Labels
Security security announcements

Comments

@odony
Copy link
Contributor

odony commented Dec 22, 2020

Security Advisory - CVE-2018-15632

Affects: Odoo 11.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2018-15632
Component: Framework
Credits: P. Valov (SoCyber)

Improper input validation in database creation logic in Odoo Community 11.0
and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers
to initialize an empty database on which they can connect with default
credentials.

I. Background

Odoo includes several database creation mechanisms: the database manager screens
as well as various command-line options to the same effect.

II. Problem Description

The database initialisation logic could be triggered on a foreign database that
was not specifically meant to be used by Odoo.

III. Impact

Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required
CVSS3 Score: High :: 8.2
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

When the PostgreSQL user configured for the Odoo service (db_user) has the right
to connect to non-Odoo databases, an unauthenticated attacker can craft a
malicious request causing an Odoo database to be intialized in a foreign
existing database. This may include the default databases "postgres" and
"template1", which are generally empty.

The attacker could then use default system credentials to connect as administrator
on the new database and trigger expensive computations or otherwise impact system
resources. If the deployment follows the security best practices from the Odoo
documentation, it should not be possible for the attacker to access other databases
already present on the system.

Odoo S.A. is not aware of any malicious use of this vulnerability.

IV. Workaround

Prevent the Odoo database user (db_user) from connecting to non-Odoo databases,
and from modifying data in those databases. The only exception to this is the
default "postgres" database, on which the Odoo database user should be able to
connect in read-only mode. Please refer to the PostgreSQL documentation for this.
This change will of course impair the database creation options in Odoo. When
needed, an empty database can be created with the PostgreSQL tools directly, which
is a best practice for deployment environments.
The new database can then be initialized by forcing the installation of an Odoo
module, after granting the necessary PostgreSQL rights.
Example:
odoo-bin -c /path/to/config -d <new_db> -i base --without-demo=all

Odoo Cloud servers are not vulnerable to this, as they use a dedicated database
provisioning system.

V. Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

   patch -p0 -f < /path/to/the_patch_file.patch

This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.

VI. Correction details

The following list contains the revisions after which the vulnerability
is corrected:

  • 11.0: a1dc2af
  • 11.0-ent (Enterprise): see 11.0
@odony odony added the Security security announcements label Dec 22, 2020
@odony odony closed this as completed Dec 22, 2020
@odoo odoo locked and limited conversation to collaborators Dec 22, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Security security announcements
Projects
None yet
Development

No branches or pull requests

1 participant