Bug 1049748 (CVE-2012-6619)

Summary: CVE-2012-6619 mongodb: memory over-read via incorrect BSON object length
Product: [Other] Security Response Reporter: Ratul Gupta <ratulg>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, admiller, aortega, apevec, athomas, ayoung, bgollahe, bhu, bkearney, bleanhar, bretm, ccoleman, chrisw, cpelland, dmcphers, drieden, esammons, fpercoco, gkotton, iboverma, iheim, jdetiber, jialiu, jim, jmatthew, johan.o.hedin, jross, jrusnack, katello-bugs, kseifried, lhh, lmeyer, markmc, matt, mcressma, mmaslano, mmccune, mmcgrath, mrg-program-list, nathaniel, nobody+bgollahe, ovasik, rbryant, rhos-maint, sclewis, tdawson, tsanders, williams, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mongodb 2.3.2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-17 05:44:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1050760, 1050761, 1050762, 1050763, 1050764, 1050767, 1050768, 1050769    
Bug Blocks: 1049750, 1059047    

Description Ratul Gupta 2014-01-08 06:36:03 UTC 
MongoDB was found to be affected by a memory over-read bug that can be used by an authenticated user (if applicable) to obtain raw MongoDB server process memory contents via incorrect BSON object length.

This issue does not seem to cross a security boundary under most deployments, but for some it could, like differently-privileged MongoDB users, data already deleted from the DB yet staying in process memory, or/and metadata that is not normally retrievable.

References:
http://seclists.org/oss-sec/2014/q1/27
http://blog.ptsecurity.com/2012/11/attacking-mongodb.html
https://github.com/cyberpunkych/attacking_mongodb (The files used for the attack demonstration.)
Comment 1 Vincent Danen 2014-01-08 17:12:54 UTC 
According to http://www.mongodb.org/about/alerts/#security-related this issue was corrected on 11/27/2012 and affects version 2.3.1 and earlier, and is corrected in 2.3.2.

It is described as "Object validation (--objcheck) not performed by default."

The upstream original bug report for this is:

https://jira.mongodb.org/browse/SERVER-7769

Which indicates the following commits correct the issue:

https://github.com/mongodb/mongo/commit/6889d1658136c753998b4a408dc8d1a3ec28e3b9
https://github.com/mongodb/mongo/commit/f9817a6cf64bdba8e1e1cef30a798110df746b58
Comment 2 Vincent Danen 2014-01-08 17:15:15 UTC 
As an aside, there is an implication in the upstream bugs that were duped against SERVER-7769 that this also can cause a denial of service (crash of the mongodb server process).
Comment 3 Vincent Danen 2014-01-08 17:24:13 UTC 
The upstream report does not indicate when the flaw was introduced, so it is unknown as of yet whether or not 1.x is affected by this at all.
Comment 5 Kurt Seifried 2014-01-09 22:01:23 UTC 
This issue can be dealt with by using the --objcheck command line switch in older versions of MongoDB, this switch was enabled as the default behavior in version 2.3.2 and later.
Comment 7 errata-xmlrpc 2014-03-04 19:16:01 UTC 
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0230 https://rhn.redhat.com/errata/RHSA-2014-0230.html
Comment 9 errata-xmlrpc 2014-04-28 16:47:40 UTC 
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2014:0440 https://rhn.redhat.com/errata/RHSA-2014-0440.html
Comment 11 Kurt Seifried 2014-08-08 19:26:18 UTC 
Red Hat Update Infrastructure 2.1.3 is now in Production 2 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Update Infrastructure Life Cycle: https://access.redhat.com/support/policy/updates/rhui.