Bug 1200446 (CVE-2015-1609) - CVE-2015-1609 mongodb: DoS due to improper BSON validation
Summary: CVE-2015-1609 mongodb: DoS due to improper BSON validation
Keywords:
Status: NEW
Alias: CVE-2015-1609
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20150217,repor...
Depends On: 1200447 1200448 1200449
Blocks: 1200450
TreeView+ depends on / blocked
 
Reported: 2015-03-10 15:14 UTC by Martin Prpič
Modified: 2019-06-08 20:28 UTC (History)
39 users (show)

Fixed In Version: mongodb 2.4.13, mongodb 2.6.8, mongodb 3.0.0-rc9, mongodb 3.1.0
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way MongoDB processed certain BSON-serialized UTF-8 strings. A remote, unauthenticated attacker could use this flaw to crash a mongod server via a specially crafted BSON message.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Martin Prpič 2015-03-10 15:14:42 UTC
It was found that the mongod server did not correctly validate certain malformed BSON requests. A remote, unauthenticated  attacker could use a specially crafted BSON message to crash a mongod server.

Upstream issue:

https://jira.mongodb.org/browse/SERVER-17264

Upstream patches:

2.4 -- https://github.com/mongodb/mongo/commit/3a7e85ea1f672f702660e5472566234b1d19038e
2.6 -- https://github.com/mongodb/mongo/commit/8f1c734c7f1862180f607c241fb167640889efba
3.0 -- https://github.com/mongodb/mongo/commit/5285225e71c5c0652520ef99d0ae4ca24655f72f

Comment 1 Martin Prpič 2015-03-10 15:15:43 UTC
Created mongodb tracking bugs for this issue:

Affects: fedora-all [bug 1200447]
Affects: epel-6 [bug 1200448]
Affects: epel-7 [bug 1200449]

Comment 2 Fedora Update System 2015-03-21 05:01:20 UTC
mongodb-2.6.8-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2015-03-29 04:57:06 UTC
mongodb-2.4.13-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2015-04-10 19:15:46 UTC
mongodb-2.4.13-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.