Red Hat Bugzilla – Bug 1049748
CVE-2012-6619 mongodb: memory over-read via incorrect BSON object length
Last modified: 2016-04-26 19:50:38 EDT
MongoDB was found to be affected by a memory over-read bug that can be used by an authenticated user (if applicable) to obtain raw MongoDB server process memory contents via incorrect BSON object length. This issue does not seem to cross a security boundary under most deployments, but for some it could, like differently-privileged MongoDB users, data already deleted from the DB yet staying in process memory, or/and metadata that is not normally retrievable. References: http://seclists.org/oss-sec/2014/q1/27 http://blog.ptsecurity.com/2012/11/attacking-mongodb.html https://github.com/cyberpunkych/attacking_mongodb (The files used for the attack demonstration.)
According to http://www.mongodb.org/about/alerts/#security-related this issue was corrected on 11/27/2012 and affects version 2.3.1 and earlier, and is corrected in 2.3.2. It is described as "Object validation (--objcheck) not performed by default." The upstream original bug report for this is: https://jira.mongodb.org/browse/SERVER-7769 Which indicates the following commits correct the issue: https://github.com/mongodb/mongo/commit/6889d1658136c753998b4a408dc8d1a3ec28e3b9 https://github.com/mongodb/mongo/commit/f9817a6cf64bdba8e1e1cef30a798110df746b58
As an aside, there is an implication in the upstream bugs that were duped against SERVER-7769 that this also can cause a denial of service (crash of the mongodb server process).
The upstream report does not indicate when the flaw was introduced, so it is unknown as of yet whether or not 1.x is affected by this at all.
This issue can be dealt with by using the --objcheck command line switch in older versions of MongoDB, this switch was enabled as the default behavior in version 2.3.2 and later.
This issue has been addressed in following products: OpenStack 4 for RHEL 6 Via RHSA-2014:0230 https://rhn.redhat.com/errata/RHSA-2014-0230.html
This issue has been addressed in following products: MRG for RHEL-6 v.2 Via RHSA-2014:0440 https://rhn.redhat.com/errata/RHSA-2014-0440.html
Red Hat Update Infrastructure 2.1.3 is now in Production 2 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Update Infrastructure Life Cycle: https://access.redhat.com/support/policy/updates/rhui.