I have this very large and complex server application that amongst the numerous opensource tools that are baked into it, CouchDB 3.3.3 is one of them. "Baked" is important because what the vendor does is bake a stripped-down version of Couch it’s not a full install. As part of our application deployment all installs have to get security scanned and the security folks are bent out of shape over the port that Couch is configured on (29081 in this case, set in stone by the vendor of the app) not returning "Strict-Transport-Security" in the header. This app also includes Apache (which we are able to harden) and some of the traffic goes through Apache to Couch via that port hence the https part of this. Here’s the problem: I can access Couch via:
CURL>curl -X GET -u admin:password https://someserver:29081/_users
and even see that the databases exist:
CURL>curl -X GET -u admin:password https://someserver:29081/_all_dbs
["_replicator","_users","dsconfig$"]
But when I try
CURL>curl -X GET -u admin:password https://someserver:29081/settings/security/responseHeaders
Per https://docs.couchbase.com/server/current/rest-api/rest-setting-hsts.html I get
{"error":"not_found","reason":"Database does not exist."}
I’m also able to get to the Fauxton web interface but there appears to be no HSTS configuration section/setting that is obvious.
2
Answers
could force-add the header on every apache response under VirtualHost, eg
Best guess, the stripped-down db simply doesn’t support the settings/security/responseHeaders endpoint. Luckily you can probably add the HSTS headers with Apache instead.
It seems that the CouchDB service is exposed on port 29081, which might pose some security risks, especially if HSTS is not configured properly.
Given the situation, I recommend the following actions:
Audit the Server: Conduct a thorough audit of the server to check for any unauthorized changes or access. Specifically, look for:
Lateral Movement: Verify if there has been any movement within the system that could indicate a compromised environment.
Privilege Escalation: Check if any unauthorized privilege escalation has occurred, such as changes to database permissions or access rights. This includes verifying if the default admin user has had its rights altered or removed.
Architecture Verification: Examine the server’s architecture and configuration to ensure that all components are securely implemented and no unintended exposure exists.
Implementation Enumeration: Enumerate and review any backend implementations that might be exposed or improperly configured. This includes identifying and assessing any custom configurations or integrations that could introduce vulnerabilities.
Verify Database Integrity: Ensure that the CouchDB database and application are functioning correctly and have not been tampered with or broken.
Immediate attention to these areas will help in identifying and mitigating any potential security issues.