QID 730332

Date Published: 2022-01-13

QID 730332: Couchbase Server Security Update For Log4shell

Couchbase Server, originally known as Membase, is an open-source, distributed multi-model NoSQL document-oriented database software package optimized for interactive applications.

CVE-2021-44228: A critical issue in the Apache Log4J utility as used by the Couchbase Analytics Service requires updating to prevent potential Remote Code Execution (RCE) and sensitive data extraction.

Affected Products:
Couchbase Server version from 7.0.0 prior to 7.0.3
Couchbase Server version from 6.6.0 prior to 6.6.4
Couchbase Server versions 6.5.x
Couchbase Server versions 6.0.x

QID Detection Logic(Unauthenticated):
This QID sends a GET request and identify the vulnerable version of Couchbase server on /versions.

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on the target system.

  • CVSS V3 rated as Critical - 10 severity.
  • CVSS V2 rated as Critical - 9.3 severity.
  • Solution

    Customers are advised to refer to Couchbase Server for more information.Workaround:
    Please refer to Couchbase Server Workaround for more information.

    Vendor References

    CVEs related to QID 730332

    Software Advisories
    Advisory ID Software Component Link
    Couchbase Server CVE-2021-44228 URL Logo www.couchbase.com/alerts