Bug 1049748 (CVE-2012-6619) - CVE-2012-6619 mongodb: memory over-read via incorrect BSON object length
Summary: CVE-2012-6619 mongodb: memory over-read via incorrect BSON object length
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-6619
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1050760 1050761 1050762 1050763 1050764 1050767 1050768 1050769
Blocks: 1049750 1059047
TreeView+ depends on / blocked
 
Reported: 2014-01-08 06:36 UTC by Ratul Gupta
Modified: 2019-09-29 13:11 UTC (History)
49 users (show)

Fixed In Version: mongodb 2.3.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-01-17 05:44:22 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0230 normal SHIPPED_LIVE Moderate: mongodb security update 2014-03-05 00:11:08 UTC
Red Hat Product Errata RHSA-2014:0440 normal SHIPPED_LIVE Moderate: Red Hat Enterprise MRG Grid 2.5 security, bug fix, and enhancement update 2014-04-28 20:43:37 UTC

Description Ratul Gupta 2014-01-08 06:36:03 UTC
MongoDB was found to be affected by a memory over-read bug that can be used by an authenticated user (if applicable) to obtain raw MongoDB server process memory contents via incorrect BSON object length.

This issue does not seem to cross a security boundary under most deployments, but for some it could, like differently-privileged MongoDB users, data already deleted from the DB yet staying in process memory, or/and metadata that is not normally retrievable.

References:
http://seclists.org/oss-sec/2014/q1/27
http://blog.ptsecurity.com/2012/11/attacking-mongodb.html
https://github.com/cyberpunkych/attacking_mongodb (The files used for the attack demonstration.)

Comment 1 Vincent Danen 2014-01-08 17:12:54 UTC
According to http://www.mongodb.org/about/alerts/#security-related this issue was corrected on 11/27/2012 and affects version 2.3.1 and earlier, and is corrected in 2.3.2.

It is described as "Object validation (--objcheck) not performed by default."

The upstream original bug report for this is:

https://jira.mongodb.org/browse/SERVER-7769

Which indicates the following commits correct the issue:

https://github.com/mongodb/mongo/commit/6889d1658136c753998b4a408dc8d1a3ec28e3b9
https://github.com/mongodb/mongo/commit/f9817a6cf64bdba8e1e1cef30a798110df746b58

Comment 2 Vincent Danen 2014-01-08 17:15:15 UTC
As an aside, there is an implication in the upstream bugs that were duped against SERVER-7769 that this also can cause a denial of service (crash of the mongodb server process).

Comment 3 Vincent Danen 2014-01-08 17:24:13 UTC
The upstream report does not indicate when the flaw was introduced, so it is unknown as of yet whether or not 1.x is affected by this at all.

Comment 5 Kurt Seifried 2014-01-09 22:01:23 UTC
This issue can be dealt with by using the --objcheck command line switch in older versions of MongoDB, this switch was enabled as the default behavior in version 2.3.2 and later.

Comment 7 errata-xmlrpc 2014-03-04 19:16:01 UTC
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0230 https://rhn.redhat.com/errata/RHSA-2014-0230.html

Comment 9 errata-xmlrpc 2014-04-28 16:47:40 UTC
This issue has been addressed in following products:

  MRG for RHEL-6 v.2

Via RHSA-2014:0440 https://rhn.redhat.com/errata/RHSA-2014-0440.html

Comment 11 Kurt Seifried 2014-08-08 19:26:18 UTC
Red Hat Update Infrastructure 2.1.3 is now in Production 2 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Update Infrastructure Life Cycle: https://access.redhat.com/support/policy/updates/rhui.


Note You need to log in before you can comment on or make changes to this bug.