[Secure-testing-team] Bug#576304: CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability

Moritz Muehlenhoff jmm at debian.org
Fri Apr 2 20:23:16 UTC 2010 

Package: couchdb
Severity: important
Tags: security

The following advisory was posted to full-disclosure. I don't see
the security implications, can you tell me what property is being
attacked here through the timing attack?

Cheers,
        Moritz

CVE-2010-0009: Apache CouchDB Timing Attack Vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache CouchDB 0.8.0 to 0.10.1

Description:
Apache CouchDB versions prior to version 0.11.0 are vulnerable to
timing attacks, also known as side-channel information leakage,
due to using simple break-on-inequality string comparisons when
verifying hashes and passwords.

Mitigation:
All users should upgrade to CouchDB 0.11.0. Upgrades from the 0.10.x
series should be seamless. Users on earlier versions should consult

http://wiki.apache.org/couchdb/Breaking_changes

Example:
A canonical description of the attack can be found in

http://codahale.com/a-lesson-in-timing-attacks/

Credit:
This issue was discovered by Jason Davies of the Apache CouchDB
development team.

References:
http://couchdb.apache.org/
http://couchdb.apache.org/downloads.html
http://wiki.apache.org/couchdb/Breaking_changes
http://codahale.com/a-lesson-in-timing-attacks/



-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-3-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15 at euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash

Versions of packages couchdb depends on:
ii  adduser                       3.112      add and remove users and groups
pn  erlang-abi-11.b.3             <none>     (no description available)
pn  erlang-nox                    <none>     (no description available)
ii  libc6                         2.10.2-6   Embedded GNU C Library: Shared lib
pn  libicu38                      <none>     (no description available)
pn  libmozjs1d                    <none>     (no description available)
ii  lsb-base                      3.2-23     Linux Standard Base 3.2 init scrip
ii  mime-support                  3.48-1     MIME files 'mime.types' & 'mailcap

couchdb recommends no packages.

couchdb suggests no packages.

More information about the Secure-testing-team mailing list