Community mailing list archives
community@mail.odoo.com
Browse archives
Re: Odoo Security Advisory - 2015-password-crypt
byThanks, this kind of security advisories is VERY MUCH WELCOMED!!! Thanks a lot!El mar., 23 jun. 2015 a las 11:50, Olivier Dony (<odo@odoo.com>) escribió:Security Advisory 2015-password-crypt Title: User access to secure password hashes Affects: Odoo 7.0 and 8.0 Component: Odoo Addons Credits: Openinside Co. GitHub: https://github.com/odoo/odoo/issues/7241 I. Background Odoo comes with an `auth_crypt` module implementing secure password hashes, instead of the default clear text storage for passwords. This module is optional in Odoo 7.0, but installed automatically as of Odoo 8.0 for new databases. Upgrading an instance from Odoo 7.0 to Odoo 8.0 does not automatically install it, though. II. Problem Description The `auth_crypt` module did not sufficiently protect the database field containing the secure password hashes. III. Impact A malicious user with read access to the list of users could make direct RPC calls to the Odoo server and read the secure password hashes of the users. The secure password hashes are salted using a random source of entropy, so they cannot be looked up in rainbow tables. However it is not impossible that weak passwords could be retrieved by brute-force attacks or dictionary-based attacks. In Odoo 8.0 only internal users of the database can possibly exploit this vulnerability, as portal/external/public users do not have read access to the users by defualt. In Odoo 7.0 both internal users and external users could possibly exploit this vulnerability, if the `portal` or `portal_anonymous` modules are installed, as these modules provide read access to list of users by default. Odoo S.A. is not aware of any malicious use if this vulnerability. Customers using Odoo Online are not vulnerable, as the platform was updated as soon as the fix was available. Access Vector: Network exploitable Access Complexity: Medium Authentication: Privileged user account required CVSS Score: 3.8 (AV:N/AC:M/Au:S/C:P/I:P/A:N/E:POC/RL:OF/RC:C) IV. Workaround For Odoo 7.0, uninstalling the `portal` module will prevent exploiting this vulnerability for external users. There is no workaround to completely prevent exploits from internal users of the system, short of uninstalling the `auth_crypt` module itself, which will require resetting the password of all users using local passwords. V. Solution Apply the patches corresponding to your Odoo installation, or upgrade to the latest revision, either via GitHub or by downloading the latest version from https://www.odoo.com/page/download or http://nightly.odoo.com To apply the patch, change into the main directory of your Odoo installation (the one containing "openerp" and "addons" directories), then execute the patch command, typically: patch -p0 -f_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe
_______________________________________________
Mailing-List: https://www.odoo.com/groups/community-59
Post to: mailto:community@mail.odoo.com
Unsubscribe: https://www.odoo.com/groups?unsubscribe
Ana Juaristi Olalde : Personal phone: 677 93 42 59. User/usuario skype: Avanzosc
www.openerpsite.com

El contenido de esta comunicación y de toda su documentación anexa es confidencial y se dirige exclusivamente a su destinatario. El uso no autorizado de esta información está prohibido por la legislación vigente. Si usted no es el destinatario le rogamos nos lo indique, no comunique su contenido a terceros y proceda a su destrucción. Disculpe las molestias que le haya ocasionado la recepción indebida de este e-mail. Sus datos figuran en un fichero cuyo titular es Avanzosc, S.L., a quien usted puede dirigirse para ejercer sus derechos de acceso, rectificación, cancelación y oposición en Klara Donea 13, 20720, Azkoitia (Gipuzkoa), Tef. 943 02 69 02 - administracion@avanzosc.es
Komunikazio
honen
edukia eta dokumentazio erantsia konfidentziala da eta
hartzaileak bakarrik jaso beharko luke. Indarrean dagoen
legeriak debekatu egiten du bertan eskainitako
informazioa baimenik gabe erabiltzea. Komunikazioa zuri
iritsi bazaizu, baina zu ez bazara hartzailea, mesedez,
guri jakinarazi, eta jasotako informazioa ez inori
jakinarazi eta suntsitu. Barkatu okerreko email hau
jasotzeak eragindako eragozpenak. Zure datuak Avanzosc,
S.L. enpresaren fitxategietan sartuta daude. Zure datuak
atzitzea eska dezakezu, bai eta, datuak zuzentzea,
ezereztea eta tratamenduari aurka egitea ere.
Horretarako, enpresara jo dezakezu, helbide honetan: Klara Donea 13 20720,
Azkoitia (Gipuzkoa), telefonoa: 943 02 69 02 - administracion@avanzosc.es
This message and all documents attached to it are
confidential and intended only for the person or entity
to which it is addressed. Any use of this information by
unauthorised persons is prohibited under current
legislation. If you received this message by error,
please advise us, destroy it and refrain from
communicating its contents to third parties. We
apologise for any inconvenience receiving this email
improperly may cause to you. Your
personal data are included in a file owned by Avanzosc, S.L.
If you want to exercise your rights of access, correction,
erasure and objection you can contact the Controller at Klara Donea 13 20720, Azkoitia (Gipuzkoa), T: 943 02 69
02 – administracion@avanzosc.es
Reference
-
Odoo Security Advisory - 2015-password-crypt
byOlivier Dony (odo)-
-
Re: Odoo Security Advisory - 2015-password-crypt
by André P. <app@thinkopen.solutions> - 06/24/2015 04:52:18 - 0 -
Re: Odoo Security Advisory - 2015-password-crypt
byCredativ, Ondrej Kuznik -
-
Re: Odoo Security Advisory - 2015-password-crypt
byAVANZOSC, S.L, Ana Juaristi Olalde -
Re: Odoo Security Advisory - 2015-password-crypt
byEl Aleman, David Arnold
-