Community mailing list archives


Odoo Security Advisory - 2016-03-unsafe-getattr

Olivier Dony (odo)
- 02/24/2016 06:28:36
Odoo Security Advisory                   2016-03-unsafe-getattr

Title: Sandbox escape vulnerability

Affects: All Odoo versions
Component: Marketing Campaign / Lead Automation module
Credits: Colin Newell


I.   Background

Odoo includes a sandbox for interpreting dynamic business logic
components, such as workflow actions, automated data triggers,
or dynamic expressions used inside report templates.

In order to be allowed to customize any of these dynamic business logic
components, one must usually be an administrator of an Odoo database,
or have otherwise received elevated privileges.

II.  Problem Description

The Marketing Campaign / Lead Automation module contained an unsafe
function that could allow an attacker to escape the boundaries of the
"dynamic business logic" sandbox.

III. Impact

Access Vector: Network exploitable
Access Complexity: High
Authentication: Privileged account required

In installations where untrusted users are given elevated privileges
(such as SaaS-like / multi-tenant environments), malicious users
with a privileged / administrator account could craft specific
"dynamic business logic components" to exploit this vulnerability and
escape the controlled sandbox environment.
This could allow them to access sensitive data such as user passwords,
including in those in other databases on the same Odoo system.

Databases where the Marketing Campaign/Lead Automation modules is not
installed are not vulnerable. However in multi-tenant/SaaS environments,
privileged users are usually allowed to install new modules.

Odoo S.A. is not aware of any malicious use of this vulnerability.

IV.  Workaround

In multi-tenant environments, make the Marketing Campaign/Lead
Automation model uninstallable, for example by deleting the
"marketing_campaign" directory in your Odoo installation, and restarting
the server.
This will disable all the features of this module, and could make
databases where it is installed partially unusable.

Odoo Online servers have been patched as soon as the correction was

V.   Solution

Apply the patches corresponding to your Odoo installation, or upgrade
to the latest revision, either via GitHub or by downloading the
latest version from

To apply the patch, change into the main directory of your Odoo
installation (the one containing "openerp" and "addons" directories),
then execute the patch command, typically:

       patch -p0 -f