LIVE
DEMO
Request Live Demo

LIVE DEMO

Request a customized
presentation of RavenDB

Request Live Demo

Request a customized presentation of RavenDB

2018-06-12
Security Vulnerability Advisory 

Security Vulnerability Advisory for RavenDB 4.0


Executive Summary

During routine internal security testing, a remotely exploitable issue was discovered. This issue has been addressed and is available in release: 4.0.5

This stable release is now generally available and we strongly recommend that you take immediate action to upgrade all your RavenDB 4.0 instances to address this issue.

Fixed Version
Affected Versions
RavenDB 4.0.0 - 4.0.4
Not affected
RavenDB 3.5 or earlier
Severity
Critical 
Remotely exploitable
Yes
Effects
Remote privilege escalation
Remote code execution
Workarounds
None, upgrade available
Resolution
Immediate update to the fixed version
Known exploits in use
None
The fix is offered to all users of RavenDB, regardless of support or maintenance level. 

Recommendation

Immediately upgrade all publicly exposed RavenDB servers to the fixed version. If your RavenDB instances aren't publicly exposed, schedule upgrades to the fixed version as soon as possible.


Details

A failure to sanitize input from a remote client can allow a privilege escalation attack, up to and including to the level of cluster administrator. This has been discovered as part of a routine audit of our code base by the security team. There are no known exploits at large or any indication that this has been discovered or used by anyone else.
The fix version is now available and you should take immediate steps to upgrade all your RavenDB instances to alleviate this issue. 

If you have any questions regarding support and maintenance, make sure to contact us at support@ravendb.net or security@ravendb.net

Customers are urged to keep their support and maintenance contracts current, and to install the latest available updates to their installed products.


Reseller information

Immediately upgrade all publicly exposed RavenDB servers to the fixed version. If your RavenDB instances aren't publicly exposed, schedule upgrades to the fixed version as soon as possible.


Categories: