Description =========== An attacker can access an improperly secured default installation without authenticating and gain admin privileges.
1. CouchDB opens a random network port, bound to all available interfaces in anticipation of clustered operation and/or runtime introspection. A utility process called `epmd` advertises that random port to the network. `epmd` itself listens on a fixed port. 2. CouchDB packaging previously chose a default `cookie` value for single-node as well as clustered installations. That cookie authenticates any communication between Erlang nodes. The CouchDB documentation[1] has always made recommendations for properly securing an installation, but not all users follow the advice. We recommend a firewall in front of all CouchDB installations. The full CouchDB api is available on registered port `5984` and this is the only port that needs to be exposed for a single-node install. Installations that do not expose the separate distribution port to external access are not vulnerable. Mitigation ========== CouchDB 3.2.2 and onwards will refuse to start with the former default Erlang cookie value of `monster`. Installations that upgrade to this versions are forced to choose a different value. In addition, all binary packages have been updated to bind `epmd` as well as the CouchDB distribution port to `127.0.0.1` and/or `::1` respectively. Credit ====== This issue was identified by Alex Vandiver <ale...@zulip.com>. [1]: https://docs.couchdb.org/en/stable/setup/cluster.html
