OrientDB devs fix CSRF and click-jacking vulnerabilities

Sep 4, 2015 21:34 GMT  ·  By

OrientDB developers have fixed three security-related bugs in the database's Web-based management interface, also known as Studio.

OrientDB, a modern database engine that combines the features of graph database engines like Neo4J, and document databases like the popular MongoDB, is part of the new wave of NoSQL engines that provide alternatives to the old relational database ecosystem.

According to a recent disclosure on the CERT Vulnerability Notes Database, three issues relating to the OrientDB database engine's Web administration interface have been resolved with the release of versions 2.0.15 and 2.1.1.

This interface, codenamed Studio, allows OrientDB to manage the database's content using a browser.

It's basically like phpMyAdmin for MySQL, but instead of being controlled by the open source community, Studio is managed by OrientDB's creators and ships with every version of the OrientDB database, Community and Enterprise.

According to security researcher Raffaela Frank, the Studio interface's code contained three security issues which allowed for a CSRF (Cross-Site Request Forgery) attack to take place (CVE-2015-2912), used improper input validation which allowed for click-jacking attacks (CVE-2015-2918), and utilized an insufficiently strong Java library to generate random numbers for session IDs (CVE-2015-2913).

No attacks recorded in the wild

These allowed for an attacker to either gain administrative privileges to the database, and/or escalate privileges to the victim's own. These attacks could have been carried out only if the Studio interface was exposed to the Internet, or an attacker had access to internal networks from where the database could have been accessed.

All issues affected only the OrientDB Studio interface, and no problems were reported to the database's source itself.

If you haven't yet upgraded to the latest OrientDB versions and are forced to run older releases due to technical limitations or company-related policies, disabling OrientDB Studio should protect your private data.

We reached out to OrientDB Technologies, which told us they did not observe any attacks using these vulnerabilities in the wild. Their full statement is also attached to this article, along with screenshots and a video presentation of OrientDB Studio.

OrientDB Tech. Statement

OrientDB Studio screenshots (5 Images)

Security flaws in OrientDB's Studio interface are now fixed
OrientDB Studio Web interfaceOrientDB Studio Web interface
+2more