Affects: Odoo 11.0 and earlier (Community and Enterprise Editions) CVE ID: CVE-2018-15632 Component: Framework Credits: P. Valov (SoCyber)
Improper input validation in database creation logic in Odoo Community 11.0
and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers
to initialize an empty database on which they can connect with default
credentials.
I. Background
Odoo includes several database creation mechanisms: the database manager screens
as well as various command-line options to the same effect.
II. Problem Description
The database initialisation logic could be triggered on a foreign database that
was not specifically meant to be used by Odoo.
When the PostgreSQL user configured for the Odoo service (db_user) has the right
to connect to non-Odoo databases, an unauthenticated attacker can craft a
malicious request causing an Odoo database to be intialized in a foreign
existing database. This may include the default databases "postgres" and
"template1", which are generally empty.
The attacker could then use default system credentials to connect as administrator
on the new database and trigger expensive computations or otherwise impact system
resources. If the deployment follows the security best practices from the Odoo
documentation, it should not be possible for the attacker to access other databases
already present on the system.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
Prevent the Odoo database user (db_user) from connecting to non-Odoo databases,
and from modifying data in those databases. The only exception to this is the
default "postgres" database, on which the Odoo database user should be able to
connect in read-only mode. Please refer to the PostgreSQL documentation for this.
This change will of course impair the database creation options in Odoo. When
needed, an empty database can be created with the PostgreSQL tools directly, which
is a best practice for deployment environments.
The new database can then be initialized by forcing the installation of an Odoo
module, after granting the necessary PostgreSQL rights.
Example:
odoo-bin -c /path/to/config -d <new_db> -i base --without-demo=all
Odoo Cloud servers are not vulnerable to this, as they use a dedicated database
provisioning system.
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
patch -p0 -f < /path/to/the_patch_file.patch
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
Security Advisory - CVE-2018-15632
Affects: Odoo 11.0 and earlier (Community and Enterprise Editions)
CVE ID: CVE-2018-15632
Component: Framework
Credits: P. Valov (SoCyber)
Improper input validation in database creation logic in Odoo Community 11.0
and earlier and Odoo Enterprise 11.0 and earlier, allows remote attackers
to initialize an empty database on which they can connect with default
credentials.
I. Background
Odoo includes several database creation mechanisms: the database manager screens
as well as various command-line options to the same effect.
II. Problem Description
The database initialisation logic could be triggered on a foreign database that
was not specifically meant to be used by Odoo.
III. Impact
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required
CVSS3 Score: High :: 8.2
CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
When the PostgreSQL user configured for the Odoo service (db_user) has the right
to connect to non-Odoo databases, an unauthenticated attacker can craft a
malicious request causing an Odoo database to be intialized in a foreign
existing database. This may include the default databases "postgres" and
"template1", which are generally empty.
The attacker could then use default system credentials to connect as administrator
on the new database and trigger expensive computations or otherwise impact system
resources. If the deployment follows the security best practices from the Odoo
documentation, it should not be possible for the attacker to access other databases
already present on the system.
Odoo S.A. is not aware of any malicious use of this vulnerability.
IV. Workaround
Prevent the Odoo database user (db_user) from connecting to non-Odoo databases,
and from modifying data in those databases. The only exception to this is the
default "postgres" database, on which the Odoo database user should be able to
connect in read-only mode. Please refer to the PostgreSQL documentation for this.
This change will of course impair the database creation options in Odoo. When
needed, an empty database can be created with the PostgreSQL tools directly, which
is a best practice for deployment environments.
The new database can then be initialized by forcing the installation of an Odoo
module, after granting the necessary PostgreSQL rights.
Example:
odoo-bin -c /path/to/config -d <new_db> -i base --without-demo=all
Odoo Cloud servers are not vulnerable to this, as they use a dedicated database
provisioning system.
V. Solution
Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from https://www.odoo.com/page/download
or http://nightly.odoo.com
To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:
This command assumes your installation layout corresponds to
the latest source code layout of the Odoo project on GitHub.
If your installation differs, please extract the various patch
hunks from the files and apply them in the appropriate locations.
VI. Correction details
The following list contains the revisions after which the vulnerability
is corrected:
The text was updated successfully, but these errors were encountered: