Couchbase Alerts

This page lists critical alerts and advisories for Couchbase.


Enterprise Security Alerts

CVE Synopsis Impact (CVSS) Products Affects Version Fix Version Publish Date
CVE-2021-43963 Sync Gateway insecurely stores Couchbase Server bucket credentials

The bucket credentials used by Sync Gateway to read and write data in Couchbase Server was insecurely being stored in the metadata within sync documents written to the bucket. Users with read access could use these credentials to obtain write access. This issue does not affect clusters where Sync Gateway is authenticated with x.509 client certificates. This issue also does not affect clusters where shared bucket access is not enabled on Sync Gateway.
Medium
(6.5)
Couchbase Sync Gateway Sync Gateway
2.8.2,
2.8.1,
2.8.0,
2.7.x
Sync Gateway 2.8.3 October 2021
CVE-2021-37842

Logs not redacting XDCR remoteCluster credentials

Remote Cluster XDCR credentials can get leaked in debug logs. Config key tombstone purging was added in Couchbase Server 7.0.0. This issue happens when a config key, which is being logged, has a tombstone purger time-stamp attached to it.

High
(7.6)
Couchbase Server Server
7.0.1,
7.0.0
Server
7.0.2
October 2021
CVE-2021-42763

Credentials exposed in crash error log from a backtrace

As part of a cbcollect_info log collection, Couchbase Server collects the process info of all the processes running in the Erlang VM. The issue occurs when the cluster manager forwards a HTTP request from the pluggable UI (query workbench, etc.) to the specific service. In the backtrace, the Basic Auth Header included in the HTTP request, has the "@" user credentials of the node processing the UI request. For the issue to occur, the process info has to be triggered at the exact moment when a pluggable UI request is being serviced by the cluster manager.

High
(8.8)
Couchbase Server

Sever
7.0.1,
7.0.0,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.5.x

Server
6.6.3,
7.0.2

October 2021
CVE-2021-33503

Update of the Python urllib3 to 1.26.5 or higher

An issue was discovered in urllib3 before 1.26.5, as used by Couchbase Server command line tools. When these tools are provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service of the command line tool if a URL were passed as a parameter or redirected to via an HTTP redirect.

High
(7.5)
Couchbase Server

Server
7.0.1,
7.0.0,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x

Server
6.6.3,
7.0.2

October 2021
CVE-2020-36242

Update of the Python cryptography package to 3.3.2

In the cryptography package before 3.3.2 for Python, as used by the Couchbase Server command line tools, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow in that tool.

Critical
(9.1)
Couchbase Server

Sever
7.0.1,
7.0.0,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.5.x

Server
6.6.3,
7.0.2

October 2021
CVE-2021-35944

A specially crafted network packet sent from an attacker can crash memcached

This can cause unavailability of the Data Service. It is recommended to use a firewall to only allow network traffic from your applications to communicate with the Couchbase Server cluster.

High
(8.2)
Couchbase Server Server
7.0.0,
6.6.2,
6.6.1,
6.6.0,
6.5.x
Server
6.6.3,
7.0.1
September 2021
CVE-2021-35945

A specially crafted network packet sent from an attacker can crash memcached

This can cause unavailability of the Data Service. It is recommended to use a firewall to only allow network traffic from your applications to communicate with the Couchbase Server cluster.

High
(8.2)
Couchbase Server

Server
7.0.0,
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.6.x,
4.5.x

Server
6.6.3,
7.0.1
September 2021
CVE-2021-35943

Externally managed users are not prevented from using an empty password, per RFC4513

If an LDAP or Active Directory server, used for external authentication, is configured to allow insecure unauthenticated binds, the Couchbase Server Cluster Manager will allow an external user to be authenticated with an empty password.

LDAP servers can be configured to fail Unauthenticated Bind requests with a resultCode of “unwillingToPerform” to prevent this occurring.

Critical               
(9.8)
Couchbase Server

Server 
6.6.2,
6.6.1,
6.6.0,
6.5.x

Server 6.6.3 August 2021

CVE-2021-23840

CVE-2021-3450

CVE-2021-3449

Update OpenSSL to version 1.1.1k

Multiple security issues resolved in OpenSSL, one of which could cause the TLS server to crash if sent a maliciously crafted renegotiation ClientHello message from a client.

Medium / High
(5.9,
7.4,
7.5)
Couchbase Server

Server
6.6.2,
6.6.1,
6.6.0,
6.5.x

Server 6.6.3 August 2021
CVE-2019-10768

Update AngularJS to 1.8.0

Issue in Angular as used by the Couchbase UI that can cause a denial of service by modifying the merge() function.

High
(7.5)
Couchbase Server

Server
6.6.2,
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.x,
4.6.x,
4.5.x

Server 6.6.3 August 2021
CVE-2021-31158

N1QL Common Table Expressions (CTEs) handled access control incorrectly.

Common Table Expression N1QL queries did not correctly honor RBAC security controls, giving read-access to users that did not have the required authorization.

Medium
(6.5)
Couchbase Server Server
6.6.1,
6.6.0,
6.5.2,
6.5.1,
6.5.0
Server 6.6.2 April 2021
CVE-2021-27925

View Engine auditing condition leaks authentication information into the logs.

A rare condition that is triggered when Auditing is enabled for the View Engine and Node to Node encryption is enabled. If Couchbase Server is unable to check the remote hostname and port of an incoming internal command (view-merge request) over TLS, an error is logged which contains unredacted Base64 encoded authentication information for an internal user with administrator privileges, @ns_server.

A temporary workaround is to disable View Engine auditing or Node to Node Encryption until an upgrade can be performed.

High
(7.1)
Couchbase Server Server
6.6.1,
6.6.0,
6.5.2,
6.5.1,
6.5.0
Server 6.6.2 April 2021
CVE-2021-27924

An unredacted session cookie was included in audit logs and debug.log for audited actions where a session ID was included.

Couchbase Server was logging the temporary session cookie for a user when audited events containing a session ID were logged to the audit log and debug.log. An attacker with access to logging data could use this to impersonate an authenticated user.

Critical
(9.8)
Couchbase Server Server
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.5.x,
5.1.x,
5.0.x
Server 6.6.2 April 2021
CVE-2020-35381

Update the buger/jsonparser library used by the Search Service to version 1.1.1

A security issue in the buger/jsonparser (JSON parser for Go) library allows an attacker to cause a denial of service (DOS) in the Couchbase Server Search Service.

High
(7.5)
Couchbase Server Server
6.6.1,
6.6.0,
6.5.2,
6.5.1,
6.5.0
Server 6.6.2 April 2021
CVE-2020-13956

Update Apache HttpClient library used by Analytics Service to version 4.5.13

The Apache HttpClient, as used by the Couchbase Server Analytics Service, in versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Medium
(5.3)
Couchbase Server Server
6.6.1,
6.6.0,
6.5.x,
6.0.x
Server 6.6.2 April 2021
CVE-2019-11324

Update the urllib3 library used by the Couchbase CLI to version 1.26.3

The Python urllib3 library which is used by the requests Python library that in turn is used by the Couchbase CLI has a security issue in urllib3 versions before 1.24.2. The library mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome.

High
(7.5)
Couchbase Server Server
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.5.x,
5.1.x,
5.0.x
Server 6.6.2 April 2021
CVE-2021-25644

Authentication information is leaked when invalid REST requests are received.

When the Couchbase Server REST endpoint receives an unknown request, the request is logged as an error in the debug.log and info.log. The log includes unredacted Base64-encoded authentication information. The error message also is shown in the logs tab of the UI.

High
(8.8)
Couchbase Server Server
6.6.1,
6.6.0,
6.5.x,
6.0.x,
5.5.x,
5.1.x,
5.0.x
Server 6.6.2 April 2021
CVE-2021-25645

An internal user with administrator privileges, @ns_server, leaks credentials in cleartext in the cbcollect_info.log, debug.log, ns_couchdb.log, indexer.log, and stats.log files.

Take care to manually redact any logs exported from the cluster on versions affected by this issue. Upgrading the cluster will automatically prevent the @ns_server password appearing in future log entries.

Critical
(9.6)
Couchbase Server Server
6.6.0,
6.5.1,
6.5.0,
6.0.4,
5.5.0
Server
6.0.5,
6.5.2,
6.6.1
March 2021
CVE-2021-25643

Index Service is leaking internal administrative credentials into the logging.

Internal rest calls (/listCreateTokens, /listRebalanceTokens, /listMetadataTokens) are getting logged into the indexer.log with unredacted Base64 encoded authentication information for internal users with administrator privileges, @cbq-engine-cbauth and @index-cbauth.

Critical
(9.8)
Couchbase Server Server
6.6.1,
6.6.0,
6.5.1,
6.5.0,
6.0.x,
5.5.x,
5.1.x,
5.0.x
Server
6.6.2,
6.5.2
April 2021
CVE-2020-24719

Exposed Erlang cookie could lead to Remote Command Execution (RCE) attack

Communication between Erlang nodes is done by exchanging a shared secret (aka "magic cookie"). There are cases where the magic cookie is included in the content of the logs. An attacker can use the cookie to attach to an Erlang node and run OS-level commands on the system running the Erlang node.

Recognition: Ofir Hamam, security researcher at EY Israel’s Advanced Security Center

High
(8.0)
Couchbase Server Server 6.5.1 Server 6.6.0 August 2020
CVE-2020-9041

The Cluster Management and Views endpoints are vulnerable to the "Slowloris" denial-of-service attack as they don't more aggressively terminate slow connections

The Slowloris is a type of denial-of-service attack that allows an attacker to take down a target web endpoint by sending requests that periodically send additional headers and never terminate. Reducing the timeout on receipt of HTTP headers is an effective mitigation of this attack and this is the approach taken in the cluster management and views REST endpoints.

High
(7.5)
Couchbase Server
Couchbase Sync Gateway
Server 6.5.0,
Server 6.0.3,
Sync Gateway < 2.7.0
Server 6.5.1
Server 6.0.4
February 2020
CVE-2019-14863

FTS UI to upgrade to angular 1.6.9

The Full Text Seach user interface uses AngularJS 1.4.7 for which some known high severity security vulnerabilities exist. These AngularJS libraries have been updated to a more recent version of Angular which has addressed these vulnerabilities.

High
(7.4)
Couchbase Server 6.0.2,
5.5.5
6.5.0 January 2020
CVE-2020-9040

Up until core-io 1.7.11 (and as a result Java SDK 2.7.11), hostname verification on TLS/SSL connections is not enabled and can be a security risk in certain environments

Java 6 (JDK 1.6 - the older SDK baseline version) did not support hostname verification out of the box. Once the SDK moved to Java 7 (Java 1.7) as the baseline, adding support was possible. This happened in jvm-core 1.7.11 (which translates to java-client 2.7.11). It is not possible in earlier versions to manually add it as a workaround, because the facilities to customize it accordingly are not exposed. Note that in order to not break applications that rely on the old behavior, hostname verification is still disabled by default, but can be enabled in the SDK configuration (CouchbaseEnvironment class).

High
(7.5)

Couchbase Java SDK
Couchbase Spark Connector
Couchbase Kafka Connector
(Connectors depending on Java SDK or Core-IO)
1.7.10,
1.6.0,
1.5.0,
1.4.0,
1.3.0,
1.2.0,
1.1.0,
1.0.0
2.7.11 April 2019
CVE-2020-9039

Projector and indexer REST endpoints did not require authentication

The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs.

Recognition: Apple Security team

High
(7.6)
Couchbase Server 5.5.1,
5.5.0,
5.0.1,
5.0.0,
4.6.x,
4.5.x,
4.1.x,
4.0.x
6.5.0
6.0.0
5.5.2
5.1.2
September 2018
CVE-2020-9042

Couchbase Server returns a WWW-Authenticate response to unauthenticated requests

The Server REST API responds with a {{WWW-Authenticate}} header to unauthenticated requests which allows the user to authenticate via a user / password dialog in a web browser. The problem is that these credentials are cached by the browser which allows a hacker to use CSRF to attack a cluster in the event that an administrator has used their browser to check the results of a REST API request. This behavior can be disabled by using couchbase-cli (couchbase-cli setting-security --set --disable-www-authenticate 1 -c localhost:8091 -u <username> -p <password>). This is not disabled by default as it might break existing tools or scripts.

Recognition: Apple Security Team

Medium
(6.3)
Couchbase Server 6.0.0 6.5.1 April 2020
CVE-2019-11464

Port 8092 misses X-XSS protection header

Some enterprises require that REST API endpoints include security-related headers in REST responses. Headers such as X-Frame-Options and X-Content-Type-Options are generally advisable, however some information security professionals additionally look for X-Permitted-Cross-Domain-Policies and X-XSS-Protection, which are more generally applicable to HTML endpoint, to be included too. These headers are now included in responses from the Couchbase Server Views REST API (port 8092).

Medium
(5.4)

Couchbase Server 5.5.0
5.1.2
6.0.2 March 2019
CVE-2019-9039

Prevent N1QL injection in Sync Gateway via _all_docs startkey, endkey

An attacker with access to the Sync Gateway's public REST API was able to issue additional N1QL statements and extract sensitive data or call arbitrary N1QL functions through the parameters "startkey" and "endkey" on the "_all_docs" endpoint. By issuing nested queries with CPU-intensive operations they may have been able to cause increased resource usage and denial of service conditions. The _all_docs endpoint is not required for Couchbase Mobile replication, and external access to this REST endpoint has been blocked to mitigate this issue.

Recognition: Denis Werner/HiSolutions AG

High
(7.6)
Couchbase Sync Gateway 2.1.2 2.5.0
2.1.3
February 2019
CVE-2019-11465

Memcached "connections" stat block command emits non-redacted username

The system information submitted to Couchbase as part of a bug report included the usernames for all users currently logged into the system even if the log was redacted for privacy.

This has been fixed so that usernames are tagged properly in the logs and are hashed out when the logs are redacted.

Medium
(6.5)
Couchbase Server 6.0.0,
5.5.3,
5.5.2,
5.5.1,
5.5.0
6.0.1
5.5.4
January 2019
CVE-2019-11466

Eventing debug endpoint must enforce authentication

The eventing service exposes a system diagnostic profile via an HTTP endpoint that does not require credentials on a port earmarked for internal traffic only. This has been remedied and now requires valid credentials to access.

High
(7.1)
Couchbase Server 6.0.0
5.5.0
6.0.1 December 2018
CVE-2018-15728

The /diag/eval endpoint is not locked down to localhost

Couchbase Server exposed the '/diag/eval' endpoint, which, by default, is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be executed in the underlying operating system with privileges of the user which was used to start Couchbase.

Recognition: Apple Security Team

High
(8.8)
Couchbase Server 5.5.1,
5.5.0,
5.1.1,
5.0.1,
5.0.0,
4.6.5,
4.5.1,
4.1.2,
4.0.0
6.0.0
5.5.2
October 2018
CVE-2019-11495

Erlang cookie uses a weak random seed

The cookie used for intra-node communication was not generated securely. Couchbase Server uses erlang:now() to seed the PRNG which results in a small search space for potential random seeds that could then be used to brute force the cookie and execute code against a remote system.

Recognition:  Apple Security team

High
(7.9)
Couchbase Server 5.1.1 6.0.0 September 2018
CVE-2019-11467

JSON doc with >3k '\t' chars crashes indexer

Secondary indexing encodes the entries to be indexed using collatejson. When index entries contained certain characters like \t, <, >, it caused a buffer overrun as the encoded string would be much larger than accounted for, causing the indexer service to crash and restart. This has been remedied now to ensure the buffer always grows as needed for any input.

Recognition:  D-Trust GmbH

Medium
(5.8)
Couchbase Server 5.5.0,
4.6.3
5.1.2,
5.5.2
August 2018
CVE-2019-11497

XDCR does not validate a remote cluster certificate

When an invalid remote cluster certificate was entered as part of the reference creation, XDCR did not parse and check the certificate signature. It then accepted the invalid certificate and attempted to use it to establish future connections to the remote cluster. This has been fixed. XDCR now checks the validity of the certificate thoroughly and prevents a remote cluster reference from being created with an invalid certificate.

High
(7.5)
Couchbase Server 5.0.0 5.5.0 June 2018
CVE-2019-11496

Editing bucket settings in Couchbase Server allows authentication without credentials

In versions of Couchbase Server prior to 5.0, the bucket named "default" was a special bucket that allowed read and write access without authentication. As part of 5.0, the behavior of all buckets including "default" were changed to only allow access by authenticated users with sufficient authorization. However, users were allowed unauthenticated and unauthorized access to the "default" bucket if the properties of this bucket were edited. This has been fixed.

High
(8.7)
Couchbase Server 5.0.0 5.1.0
5.5.0
December 2017