Neighbourhoodie CouchDB News Special Edition: Apache CouchDB CVE: 2023-26268 Guidance

You are receiving this message because you signed up for the Neighbourhoodie CouchDB News. This special edition outlines Neighbourhoodie’s recommendations for customers operating CouchDB with regards to CVE 2023-26268.

Introduction

Occasionally, the CouchDB team releases a new version release and announces that a certain security vulnerability has been addressed. In these cases, Neighbourhoodie issues a guidance document like this that helps customers to understand the impact the security vulnerability has on their operation of CouchDB.

Summary

The security vulnerability concerns the application of JavaScript functions inside of CouchDB’s design docs feature. By design, these JavaScript functions are run in isolation without any knowledge of anything but their direct parameter input.

Under certain circumstances (outlined below), it is possible for one such function to access data left in a couchjs process by another function. With this it is theoretically possible to access data from a database that a requesting user has no access to.

The possibility for this is very rare. It can only happen, if:

1. you allow your end users (or otherwise untrusted people) with admin-write access to CouchDB databases to create new _design documents,
2. and if the JavaScript function is one of a validate_doc_update, list, filter, filter_views (map), rewrite or update function,
3. and if you have multiple databases (for example in a database-per-user scenario),
4. and if the _design documents in those separate databases have the same document _id,
5. and if the scheduling of running these functions happens to be handled in a way where the same couchjs process handles a _design document with the same document _id from two different databases before being recycled.

In Neighbourhoodie’s estimation, this is a very rare scenario. The CouchDB security team agrees by assigning this CVE a medium severity.

Guidance

If all of the five requirements apply to your setup, we recommend you upgrade to the latest CouchDB versions for your release line (3.3.2 or 3.2.3).

If one of the requirements 1–4 do not apply to your setup, you have nothing to worry about.

Contact

If you have any questions or feedback about any of this and you are under a Neighbourhoodie CouchDB Support contract, you can always get in touch at couchdb@neighbourhood.ie.

If you are interested in signing up for a Neighbourhoodie CouchDB Support contract, contact sales@neighbourhood.ie.