CVE-2017-11467
published 2017-07-20CVE-2017-11467: OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute…
PriorityP189critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
73.07%
99.4th percentile
OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| orientdb | orientdb | <= 2.2.22 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated or low-privileged (writer/reader) HTTP POST requests to the OrientDB REST API endpoints /document/ and /function/ — exploitation uses the default 'writer:writer' credentials to create and invoke a malicious Groovy function. ↗
- →Alert on OrientDB SQL queries containing 'oRole' combined with 'order by', 'where', or 'fetchplan' clauses issued by non-admin users — this is the privilege-bypass vector. ↗
- →Monitor for creation of Groovy functions via the OrientDB REST API (/document/ POST) followed immediately by invocation via /function/ POST — this two-step pattern is the exploitation sequence. ↗
- →Detect GRANT privilege escalation queries targeting 'database.class.ouser', 'database.function', and 'database.systemclusters' issued by the writer role — these are used to self-escalate before exploitation. ↗
- →Flag processes spawned by the OrientDB JVM that create named pipes (mkfifo /tmp/f) or invoke netcat (nc) — indicative of the reverse shell payload delivered via the unsandboxed Groovy executor. ↗
- ·The exploit works even if the admin password has been changed, because it relies on the default 'writer' user (password 'writer') that is automatically created for every new OrientDB database. ↗
- ·All OrientDB versions from 2.2.2 up to and including 2.2.22 are vulnerable; the default TCP port is 2480. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OrientDB vulnerable to Improper Privilage Management leading to arbitrary command injection
osv·2018-10-18
CVE-2017-11467 [CRITICAL] OrientDB vulnerable to Improper Privilage Management leading to arbitrary command injection
OrientDB vulnerable to Improper Privilage Management leading to arbitrary command injection
OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request.
GHSA
OrientDB vulnerable to Improper Privilage Management leading to arbitrary command injection
ghsa·2018-10-18
CVE-2017-11467 [CRITICAL] CWE-269 OrientDB vulnerable to Improper Privilage Management leading to arbitrary command injection
OrientDB vulnerable to Improper Privilage Management leading to arbitrary command injection
OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request.
VulnCheck
orientdb orientdb Improper Privilege Management
vulncheck·2017·CVSS 9.8
CVE-2017-11467 [CRITICAL] orientdb orientdb Improper Privilege Management
orientdb orientdb Improper Privilege Management
OrientDB through 2.2.22 does not enforce privilege requirements during "where" or "fetchplan" or "order by" use, which allows remote attackers to execute arbitrary OS commands via a crafted request.
Affected: orientdb orientdb
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/
No detection rules found.
Exploit-DB
OrientDB - Code Execution
exploitdb·2017-07-13·CVSS 9.8
CVE-2017-11467 [CRITICAL] OrientDB - Code Execution
OrientDB - Code Execution
---
## Vulnerability Summary
The following advisory reports a vulnerability in OrientDB which allows users of the product to cause it to execute code.
OrientDB is a Distributed Graph Database engine with the flexibility of a Document Database all in one product. The first and best scalable, high-performance, operational NoSQL database.
## Credit
An independent security researcher, Francis Alexander, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program.
## Vendor response
The vendor has released patches to address this vulnerability and issue CVE-2017-11467.
For more information: https://github.com/orientechnologies/orientdb/wiki/OrientDB-2.2-Release-Notes#security.
## Vulnerability Details
OrientDB uses RBAC model for aut
Metasploit
OrientDB 2.2.x Remote Code Execution
metasploit
OrientDB 2.2.x Remote Code Execution
OrientDB 2.2.x Remote Code Execution
This module leverages a privilege escalation on OrientDB to execute unsandboxed OS commands. All versions from 2.2.2 up to 2.2.22 should be vulnerable.
No writeups or analysis indexed.
2017-07-20
Published
Exploited in the wild