CouchDB Ransom Notes

Dear CouchDB Community,

You may have seen a news item[1] about CouchDB in the past few days. There is a trend of finding unsecured public databases, deleting all the data in them, and asking for a ransom to restore the data. This has been going on with MongoDB for a while, now Hadoop and CouchDB joined the list of affected database products.

One of CouchDB’s design goals is ease-of-use. That lead us to decide on easy to access security defaults for CouchDB. Namely the famous Admin Party (every request is considered coming from an administrator). To make sure this isn’t a security issue, CouchDB by default also only binds to the local loopback network interface 127.0.0.1 and we recommend creating an admin account before making CouchDB accessible from the public.

As far as we can tell for now, the affected CouchDB instances have been in Admin Party mode and publicly accessible. As a result we are reiterating the documented best practice: Do not run CouchDB without an admin account on a public network interface. Make sure to choose a strong password for the admin account.

For CouchDB 2.0 and onwards, we already make the creation of the admin account part of the cluster setup, but users can still choose to ignore this step. For future CouchDB versions (3.x and onwards), we are currently taking steps to make things even more secure by default and make it even harder (if not impossible) to run an insecure CouchDB instance in production.

We are also working with the security researches that are doing widespread investigations into this issue to see if there are any other issues that we can address on the CouchDB side.

If you have any questions, please contact the user’s list user@couchdb.apache.org.

If you want to report an intrusion into a CouchDB instance that you can prove has been secured with an admin account and associated security measures (like TLS), or if you have any other useful information pertaining to this issue, please contact security@couchdb.apache.org, our private security reporting mailing list.

[1]: https://www.bleepingcomputer.com/news/security/database-ransom-attacks-hit-couchdb-and-hadoop-servers/

Jan Lehnardt, Vice President of Apache CouchDB

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s