CUBRID is an open source relational database management system highly optimized for Web applications. It consists of CUBRID Server and many GUI client programs and programming drivers.
In this page we will be posting updates about security vulnerabilities in CUBRID Server, its GUI tools and drivers.
The following is a list of lastest issues and their solutions order by date.
The Patch is recommended if customsers use CUBRID Web Manager for remote database connection.
CUBRID Manager Server (CMS) is a server-side component which communicates with CUBRID Manager (CM) and CUBRID Web Manager(CWM). CMS is a sub-system of CUBRID engine package and works independently from CUBRID engine and Broker processes. It provides both HTTP and socket interface to manage and monitor CUBRID Engine for almost all needs which can be thought of.
Refer to 2013-08-01 CUBRID Manager Server Patch document to see the steps to apply this patch.
You can download patch binaries from http://ftp.cubrid.org/CUBRID_Tools/CUBRID_Manager_Server/8.4.3/ and http://ftp.cubrid.org/CUBRID_Tools/CUBRID_Manager_Server/9.1.0/ for your CUBRID version.
Today the CUBRID Tools Team updated CM Server to fix several security issues found in CMS version 8.4.3.0035 and earlier, and 9.1.0.0021 and earlier. Information about these flaws can be found on CUBRID JIRA Issue Tracker pages listed below:
The CUBRID Tools Team has rated this update as having important security impact.
This patch upgrades CMS to version 8.4.3.0036 or 9.1.0.0022.
All CUBRID users who have CMS installed should apply these patches, which correct these issues. After installing this update, the CMS service should be restarted manually.
The issue was found by KCCSecurity, and reported by KISA(Korean Internet & Security Agency)
1. Versions: CUBRID Web Manager (CWM) 9.1.0 Linux, Windows
2. Condition: (1) CMServer Host user log-in -> (2) Database user log-in -> (3) Import
3. Cause of Vulnerability: Web Manager uses an absolute path when uploading a file to the database server(in export/import APIs).