CVE-2022-24706: 
Apache CouchDB vulnerability analysis and mitigation

CVE-2022-24706 is a critical vulnerability in Apache CouchDB versions prior to 3.2.2, discovered and disclosed in April 2022. The vulnerability allows an attacker to access an improperly secured default installation without authentication and gain administrator privileges. The issue affects CouchDB installations that use default configuration settings, particularly in relation to the Erlang distribution system (NVD, Security Online).

The vulnerability stems from two key configuration issues in CouchDB's default installation. First, CouchDB opens a random network port bound to all available interfaces for clustered operation and runtime introspection, with a utility process called epmd advertising that random port to the network on a fixed port. Second, CouchDB packaging previously used a default cookie value ("monster") for both single-node and clustered installations, which authenticates communication between Erlang nodes. While the CouchDB documentation provided security recommendations, many users did not follow this advice (Openwall).

The vulnerability allows unauthorized attackers to gain administrator privileges on affected CouchDB installations. This could lead to complete system compromise as attackers could potentially execute arbitrary code on the target system through the Erlang distribution protocol (Security Online).

CouchDB version 3.2.2 and later refuse to start with the default Erlang cookie value of "monster", forcing users to choose a different value. Additionally, all binary packages have been updated to bind epmd and the CouchDB distribution port to localhost (127.0.0.1 and/or ::1). For installations that cannot immediately upgrade, it is recommended to set up a firewall in front of CouchDB installations and ensure that only port 5984 is exposed for single-node installations (Openwall).