Knowledgebase:
Product Alert - Optic security advisory
23 August 2023 03:32 PM

Product Alert - Optic security advisory

Summary 

The MarkLogic team recently discovered a vulnerability in two Optic query language operators introduced in MarkLogic Server 10.0.6. If you are using MarkLogic Server 10.0.6 or newer you will need to deploy the corresponding patched version.
As part of our responsible disclosure approach, we are sharing details and remediation steps with our customers who are under active maintenance.
Customers should upgrade to a patched version of MarkLogic Server as soon as possible.
Customers unable to upgrade should harden their environment to help protect the query and eval endpoints.

Who is Affected?

You are affected if you use MarkLogic Server 10.0-6 or newer AND use RBAC (with or without Compartment Security) or QBAC to restrict read operations AND if one or more of the following is true:
  • You are using op.fromSearch() or op.fromSearchDoc() in your Optic queries
  • The v1/rows endpoint is exposed to allow execution of arbitrary Optic queries directly or via the client libraries.
  • The v1/eval endpoint or an XCC server is exposed, and users have been granted the privilege to execute arbitrary code against the server directly or via the client libraries.
  • Non-admin users have been granted access to Query Console.

You are not affected if you are using earlier versions of MarkLogic or if you do not rely on role-based or query-based access control (for example if all your data is public) or if you rely on RBAC and QBAC solely to control write operations (inserting, deleting, or updating documents in a database).

Timeline and Next Steps

Customers should prioritize upgrade over all other forms of remediation.
Once you establish that you are affected by verifying your configuration, please log a ticket with our technical support by visiting https://help.marklogic.com/Tickets/Submit/ and specify the exact version of MarkLogic Server you are running so the team can direct you to the appropriate remediation procedure. 
The following patched MarkLogic Server releases are available:
10.0-6.6
10.0-7.4
10.0-8.5
10.0-9.7
10.0-10.2
11.0.3
If you are unable to upgrade our technical support team can guide you through disabling the corresponding features.

Impact and Remediation for DHS customers 

AWS Data Hub Service (DHS) instances are impacted. MarkLogic CloudOps support team will initiate and open a ticket for affected customers arranging for any planned downtime and steps to remedy.
DHS Customers do not have action to take for the services hosted by MarkLogic CloudOps, unless Customers also run their own on-prem clusters. In which case they should follow the outlined process for the non-DHS environment ("Impact on MarkLogic Server").

Upgrade Resources:

 Q&A

Q:  What is "RBAC (with or without Compartment Security)"?  

A:  This is the usual MarkLogic security where read permissions on documents are used to control access.

Q:  What is in the patch releases?

A:  Changes between versions can be checked as usual at help.marklogic.com .

Q: Where can I download above patch releases?

A:  Click on the latest binary for the MarkLogic version for your operating system that you want to download. For example, click 'MarkLogic Server x64 (AMD64, Intel EM64T) 64-bit Linux RPM' for linux binary.

(2 vote(s))
Helpful
Not helpful
Comments (0)