Community mailing list archives

Odoo Security Advisory - 2016-02-stored-rce

Olivier Dony (odo)
- 02/24/2016 06:28:34
Odoo Security Advisory                   2016-02-stored-rce

Title: Stored remote code execution

Affects: All Odoo versions
Component: Odoo Framework
Credits: Colin Newell and Ondřej Kuzník


I.   Background

Odoo includes a mechanism to store preferred default values for commonly
used form fields, either globally for all users, or per user.
This is automatically available for all models/documents in all modules,
and works for most types of fields.

In addition, the Odoo API is accessible for remote scripting by
authorized users, using several RPC protocols.

II.  Problem Description

The serialization system for the default values relies on the "pickle"
object serialization algorithm.
The pickle module of Python is not secure against erroneous or
maliciously constructed data, and in its default configuration, could be
exploited to execute arbitrary Python code.

III. Impact

Access Vector: Network exploitable
Access Complexity: Low
Authentication: User account required

Malicious Odoo users with at least basic access to the system (including
"portal" or "external" users) could craft specific RPC packets causing
the execution of arbitrary Python code.

Such arbitrary code could for example allow the attacker to read or
write to the database without restriction, or to access the filesystem
and network of the hosting server with the credentials of the Odoo
Service. Data accessed in this manner could be sensitive and include
credentials from other users and services.

Exploiting this vulnerability requires remote network access and
the credentials of a valid Odoo user on a database hosted on a
vulnerable Odoo installation.

Odoo S.A. is not aware of any malicious use of this vulnerability.

IV.  Workaround

Regular Odoo access control list (ACL) restrictions apply to default
values, so Odoo administrators can restrict the creation/modification of
those default values to prevent exploiting the vulnerability.

This is done by restricting "Create Access" and "Write Access" on the
"ir.values" object for all user groups that are not trusted, in the
"Access Control List" menu of the technical administration settings.
If you uncheck the checkbox in both columns of the default ACL line,
nobody will be able to save and modify default values, except the
special "Administrator" user.

Note: Odoo administrators need Technical Features enabled in order to
see the Access Control List menu.

For Odoo deployments where untrusted users are allowed to administrate
their own Odoo database (SaaS-like), no workaround is available.

Odoo Online servers have been patched as soon as the correction was

V.   Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

       patch -p0 -f