Flaws in OrientDB Expose Databases to Remote Attacks

Vulnerabilities Found in OrientDB Patched by Developer

A total of three vulnerabilities have been identified in the free version (Community Edition) of the OrientDB database management system. The flaws have been addressed with the release of versions 2.1.1 and 2.0.15.

OrientDB is an open source NoSQL database management system developed by Orient Technologies. According to the developer, OrientDB is downloaded more than 60,000 times per month, and is used by over 100 enterprises and thousands of users. Statistics from DB-Engines show that OrientDB is the 52nd most popular database, and the second most popular multi-model database.

An advisory published by CERT on Thursday reveals that OrientDB is plagued by flaws that an attacker can exploit to carry out actions with the victim’s privileges and gain administrative access to databases.

The first vulnerability detailed in CERT’s advisory is a cross-site request forgery (CSRF) affecting Studio, the web interface designed for the administration of OrientDB. The security hole, identified as CVE-2015-2912, allows an attacker to perform actions with the privileges of a targeted user. For the attack to work, the attacker needs to convince a logged-in user to execute a maliciously crafted request.

Researchers tested this vulnerability in the version of Studio bundled with OrientDB 2.0.3, but other older versions might be affected as well, CERT said.

The second issue has been described as use of insufficiently random values when generating session IDs (CVE-2015-2913). The problem exists in the java.util.Random Java library that is utilized to generate random numbers in OrientDB prior to version 2.1.0. The class is not good enough for security-related tasks, allowing a potential attacker to predict values of the session ID and manipulate it to gain administrative privileges to the database.

Another flaw found in OrientDB is related to improper input validation (CVE-2015-2918). Since Studio doesn’t enforce the same-origin policy (SOP) by default in the X-Frame-Options header, a malicious actor can create specially crafted pages and launch clickjacking attacks.

According to CERT, the insufficiently random value and CSRF vulnerabilities have been addressed with the release of versions 2.0.15 and 2.1.1 in August. The CSRF bug has been patched by disabling JSONP by default, while the generation of random numbers is now handled by using the java.security.SecureRandom class.

Clickjacking attacks can be prevented by setting the value of the X-Frame-Options response header to “DENY.”

Attacks leveraging vulnerabilities in Studio can also be mitigated by disabling the web interface if it’s not needed.

“There is no evidence that vulnerabilities have been exploited and all clients have been advised to apply the software updates released to prevent potential incidents. As part of our security guidelines, we also recommend users to keep OrientDB in a private network and not expose the database to the internet,” Luca Olivari, President of OrientDB, told SecurityWeek.

Databases can store a lot of sensitive information so making sure that the software powering them is up to date and properly configured is very important. Researchers discovered recently that some of the most popular databases expose as much as 1.1 petabytes of data due to misconfigurations.

*Updated with statement from OrientDB