Bug 1516183 (CVE-2017-15535)

Summary: CVE-2017-15535 mongodb: Invalid wire protocol compression
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, apevec, bhu, bkearney, cbillett, chrisw, clalancette, databases-maint, dkholia, esammons, fpercoco, hhorak, iboverma, jjoyce, jmatthew, jorton, jpacner, jross, jschluet, kbasil, kseifried, lhh, lpeer, markmc, matt, mburns, mcressma, mrike, mskalick, ohadlevy, rbryant, sclewis, sisharma, slinaber, srevivo, strobert, tdawson, tdecacqu, tjay, tomckay, tomm.momi, trepik, tsanders, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mongodb 3.4.10, mongodb 3.6.0 Doc Type: If docs needed, set a value
Doc Text:
A memory corruption flaw was found in the way MongoDB handled wire protocol compression for intra-cluster communication. A privileged network attacker could potentially use this flaw to crash the MongoDB server under certain circumstances.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-27 05:04:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1516185    
Bug Blocks: 1516186    

Description Andrej Nemec 2017-11-22 08:46:52 UTC 
MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory.

Upstream issue:

https://jira.mongodb.org/browse/SERVER-31273

Upstream patch [3.4.x]:

https://github.com/mongodb/mongo/commit/5ad69b851801edadbfde8fdf271f4ba7c21170b5
Comment 1 Andrej Nemec 2017-11-22 08:47:36 UTC 
Created mongodb tracking bugs for this issue:

Affects: fedora-all [bug 1516185]
Comment 4 Cedric Buissart 2020-02-17 13:58:27 UTC 
Statement:

Satellite 6 uses a vulnerable version of MongoDB. However, it does not enable wire protocol compression, and thus the vulnerability can not be triggered. A fix may be provided in a future release.
Comment 5 Yadnyawalk Tale 2021-03-17 10:15:18 UTC 
(Not sure why we added 4.10 as a "fixed in" version earlier.. because that is wrong. MongoDB 3.4.10 and 3.6.0 fixing this vulnerability, just corrected the flaw bug.)