couchdb-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Lehnardt <...@apache.org>
Subject CouchDB Ransom Notes
Date Tue, 24 Jan 2017 17:56:31 GMT
Dear CouchDB Community,

You may have seen a news item[1] about CouchDB in the past few days. There is a trend of finding
unsecured public databases, deleting all the data in them, and asking for a ransom to restore
the data. This has been going on with MongoDB for a while, now Hadoop and CouchDB joined the
list of affected database products.

One of CouchDB’s design goals is ease-of-use. That lead us to decide on easy to access security
defaults for CouchDB. Namely the famous Admin Party (every request is considered coming from
an administrator). To make sure this isn’t a security issue, CouchDB by default also only
binds to the local loopback network interface 127.0.0.1 and we recommend creating an admin
account before making CouchDB accessible from the public.

As far as we can tell for now, the affected CouchDB instances have been in Admin Party mode
and publicly accessible. As a result we are reiterating the documented best practice: Do not
run CouchDB without an admin account on a public network interface. Make sure to choose a
strong password for the admin account.

For CouchDB 2.0 and onwards, we already make the creation of the admin account part of the
cluster setup, but users can still choose to ignore this step. For future CouchDB versions
(3.x and onwards), we are currently taking steps to make things even more secure by default
and make it even harder (if not impossible) to run an insecure CouchDB instance in production.

We are also working with the security researches that are doing widespread investigations
into this issue to see if there are any other issues that we can address on the CouchDB side.

If you have any questions, please contact the user’s list user@couchdb.apache.org.

If you want to report an intrusion into a CouchDB instance that you can prove has been secured
with an admin account and associated security measures (like TLS), or if you have any other
useful information pertaining to this issue, please contact security@couchdb.apache.org, our
private security reporting mailing list.

[1]: https://www.bleepingcomputer.com/news/security/database-ransom-attacks-hit-couchdb-and-hadoop-servers/

Best
Jan Lehnardt
—
Apache CouchDB PMC Chair


Mime
View raw message