CVE-2022-24706

What is Apache CouchDB?

Apache CouchDB is an open-source NoSQL document database known for its RESTful HTTP API, multi-master replication, and ease of use. It is widely used for web and mobile application backends, offline-first sync scenarios, and as a backend for applications built on the CouchDB ecosystem. CouchDB uses Erlang for its runtime and clustering, inheriting Erlang's distributed computing model — including the Erlang Port Mapper Daemon (EPMD) for node discovery and inter-node communication.

Overview

CVE-2022-24706 is a critical insecure default initialization vulnerability (CWE-1188) in Apache CouchDB. In affected versions, CouchDB nodes were initialized with a predictable or known default Erlang distribution cookie — the shared secret used for Erlang node-to-node authentication in the clustering protocol. An unauthenticated attacker who can reach CouchDB's Erlang distribution port can connect using the known default cookie, joining the Erlang cluster and executing arbitrary OS-level commands with the privileges of the CouchDB process. CVSS 9.8. Fixed in CouchDB 3.2.2, which generates a cryptographically random cookie per installation.

Affected Versions

Technical Details

CouchDB's clustering feature relies on Erlang's OTP distribution protocol. Erlang nodes authenticate to each other using a shared secret called the "magic cookie" stored in a .erlang.cookie file. In CouchDB installations before 3.2.2, this cookie was set to a known/default value (monster in some package configurations) rather than being randomly generated per instance.

The Erlang distribution port (default 4369 for EPMD plus the actual node port) must be reachable for exploitation. When it is:

1. Attacker connects to the Erlang EPMD port (4369) to discover the CouchDB node name
2. Attacker uses the known cookie value to authenticate to the Erlang distribution port
3. As a peer Erlang node, the attacker has full RPC capabilities — including os:cmd() for arbitrary OS command execution
4. The commands execute with the OS user privileges of the CouchDB process (typically couchdb user, but may be root in some deployments)

This is a well-known Erlang cluster attack pattern (similar attacks have affected RabbitMQ with default Erlang cookies).

Discovery

Identified during a security review of CouchDB's default configuration. The fix in 3.2.2 ensures a unique random cookie is generated during installation, eliminating the shared-secret predictability issue.

Exploitation Context

Erlang distribution ports (4369 and the dynamic node port range) are typically not intended to be internet-accessible, but many CouchDB deployments leave these ports reachable due to:

• Cloud security group misconfiguration (opening all ports, or "all traffic" rules)
• Docker port exposure without network filtering
• Incorrect assumption that CouchDB's HTTP API port (5984) is the only relevant port

Mass internet scanning tools like Shodan regularly index exposed CouchDB instances. Attackers exploiting this vulnerability typically install cryptominers, create backdoor OS accounts, or use the compromised database server as a pivot point.

Remediation

1. Upgrade to CouchDB 3.2.2 or later: The fix generates a random Erlang cookie per installation. Existing deployments should also manually regenerate the cookie by replacing .erlang.cookie with a random value and restarting CouchDB.
2. Firewall Erlang ports: Restrict access to ports 4369 (EPMD) and the Erlang distribution port range (default 9100-9200 for CouchDB) to trusted hosts only. These ports should never be internet-accessible.
3. Firewall CouchDB HTTP API: Port 5984 should also be restricted — CouchDB's HTTP API has its own authentication, but exposure without authentication is a separate risk.
4. Audit for compromise: Check OS user accounts, cron jobs, and running processes for unauthorized additions. Review CouchDB database contents for unexpected records.
5. Use Docker network isolation: If running CouchDB in Docker, use internal Docker networks and only expose the HTTP API port (5984) on the host, not the Erlang ports.