Security Vulnerability Advisory
Executive Summary
During routine internal security testing, a remotely exploitable issue was discovered. This issue has been addressed and is available in release: 4.0.5
This stable release is now generally available and we strongly recommend that you take immediate action to upgrade all your RavenDB 4.0 instances to address this issue.
Fixed Version | RavenDB 4.0.5 and upward |
Affected Versions | RavenDB 4.0.0 – 4.0.4 |
Not affected | RavenDB 3.5 or earlier |
Severity | Critical |
Remotely exploitable | Yes |
Effects | Remote privilege escalationRemote code execution |
Workarounds | None, upgrade available |
Resolution | Immediate update to the fixed version |
Known exploits in use | None |
The fix is offered to all users of RavenDB, regardless of support or maintenance level.
Recommendation
Immediately upgrade all publicly exposed RavenDB servers to the fixed version. If your RavenDB instances aren’t publicly exposed, schedule upgrades to the fixed version as soon as possible.
Details
A failure to sanitize input from a remote client can allow a privilege escalation attack, up to and including to the level of cluster administrator. This has been discovered as part of a routine audit of our code base by the security team. There are no known exploits at large or any indication that this has been discovered or used by anyone else.
The fix version is now available and you should take immediate steps to upgrade all your RavenDB instances to alleviate this issue.
If you have any questions regarding support and maintenance, make sure to contact us at support@ravendb.net or security@ravendb.net
Customers are urged to keep their support and maintenance contracts current, and to install the latest available updates to their installed products.
Reseller information
Immediately upgrade all publicly exposed RavenDB servers to the fixed version. If your RavenDB instances aren’t publicly exposed, schedule upgrades to the fixed version as soon as possible.
Woah, already finished? 🤯
If you found the article interesting, don’t miss a chance to try our database solution – totally for free!