Open Source RDBMS - Seamless, Scalable, Stable and Free

한국어 | Login |Register

CUBRID Security Vulnerability Updates


CUBRID is an open source relational database management system highly optimized for Web applications. It consists of CUBRID Server and many GUI client programs and programming drivers.

In this page we will be posting updates about security vulnerabilities in CUBRID Server, its GUI tools and drivers.

The following is a list of lastest issues and their solutions order by date.

 

2013-08-03 CUBRID Manager Server patch

To Whom

The Patch is recommended if customsers use CUBRID Web Manager for remote database connection.

CUBRID Manager Server (CMS) is a server-side component which communicates with CUBRID Manager (CM) and CUBRID Web Manager(CWM). CMS is a sub-system of CUBRID engine package and works independently from CUBRID engine and Broker processes. It provides both HTTP and socket interface to manage and monitor CUBRID Engine for almost all needs which can be thought of.

How to Apply a Patch

Refer to 2013-08-01 CUBRID Manager Server Patch document to see the steps to apply this patch.
You can download patch binaries from http://ftp.cubrid.org/CUBRID_Tools/CUBRID_Manager_Server/8.4.3/ and http://ftp.cubrid.org/CUBRID_Tools/CUBRID_Manager_Server/9.1.0/ for your CUBRID version.

Patch description

Today the CUBRID Tools Team updated CM Server to fix several security issues found in CMS version 8.4.3.0035 and earlier, and 9.1.0.0021 and earlier. Information about these flaws can be found on CUBRID JIRA Issue Tracker pages listed below:

  • TOOLS-3393: CM API "exportdb" improvement: specify the export path and file name on server.
  • TOOLS-3420: Export Improve: CM API "exportdb" specify filename and path on server, CWM should improve also.

The CUBRID Tools Team has rated this update as having important security impact.

This patch upgrades CMS to version 8.4.3.0036 or 9.1.0.0022.

All CUBRID users who have CMS installed should apply these patches, which correct these issues. After installing this update, the CMS service should be restarted manually.

 

2013-07-25 CUBRID Security Issue Reported

The issue was found by KCCSecurity, and reported by KISA(Korean Internet & Security Agency)

Vulnerability Details:

1. Versions: CUBRID Web Manager (CWM) 9.1.0 Linux, Windows

2. Condition: (1) CMServer Host user log-in -> (2) Database user log-in -> (3) Import

3. Cause of Vulnerability: Web Manager uses an absolute path when uploading a file to the database server(in export/import APIs).

comments powered by Disqus
Page info
viewed 7007 times
translations en
Author
posted last year by
Esen Sagynov
Contributors
updated last year by
View revisions
Share this article