Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Flaws in OrientDB Expose Databases to Remote Attacks

Vulnerabilities Found in OrientDB Patched by Developer

Vulnerabilities Found in OrientDB Patched by Developer

A total of three vulnerabilities have been identified in the free version (Community Edition) of the OrientDB database management system. The flaws have been addressed with the release of versions 2.1.1 and 2.0.15.

OrientDB is an open source NoSQL database management system developed by Orient Technologies. According to the developer, OrientDB is downloaded more than 60,000 times per month, and is used by over 100 enterprises and thousands of users. Statistics from DB-Engines show that OrientDB is the 52nd most popular database, and the second most popular multi-model database.

An advisory published by CERT on Thursday reveals that OrientDB is plagued by flaws that an attacker can exploit to carry out actions with the victim’s privileges and gain administrative access to databases.

The first vulnerability detailed in CERT’s advisory is a cross-site request forgery (CSRF) affecting Studio, the web interface designed for the administration of OrientDB. The security hole, identified as CVE-2015-2912, allows an attacker to perform actions with the privileges of a targeted user. For the attack to work, the attacker needs to convince a logged-in user to execute a maliciously crafted request.

Researchers tested this vulnerability in the version of Studio bundled with OrientDB 2.0.3, but other older versions might be affected as well, CERT said.

The second issue has been described as use of insufficiently random values when generating session IDs (CVE-2015-2913). The problem exists in the java.util.Random Java library that is utilized to generate random numbers in OrientDB prior to version 2.1.0. The class is not good enough for security-related tasks, allowing a potential attacker to predict values of the session ID and manipulate it to gain administrative privileges to the database.

Another flaw found in OrientDB is related to improper input validation (CVE-2015-2918). Since Studio doesn’t enforce the same-origin policy (SOP) by default in the X-Frame-Options header, a malicious actor can create specially crafted pages and launch clickjacking attacks.

According to CERT, the insufficiently random value and CSRF vulnerabilities have been addressed with the release of versions 2.0.15 and 2.1.1 in August. The CSRF bug has been patched by disabling JSONP by default, while the generation of random numbers is now handled by using the java.security.SecureRandom class.

Clickjacking attacks can be prevented by setting the value of the X-Frame-Options response header to “DENY.”

Attacks leveraging vulnerabilities in Studio can also be mitigated by disabling the web interface if it’s not needed.

“There is no evidence that vulnerabilities have been exploited and all clients have been advised to apply the software updates released to prevent potential incidents. As part of our security guidelines, we also recommend users to keep OrientDB in a private network and not expose the database to the internet,” Luca Olivari, President of OrientDB, told SecurityWeek.

Databases can store a lot of sensitive information so making sure that the software powering them is up to date and properly configured is very important. Researchers discovered recently that some of the most popular databases expose as much as 1.1 petabytes of data due to misconfigurations.

*Updated with statement from OrientDB

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.