Bug 1516183 (CVE-2017-15535) - CVE-2017-15535 mongodb: Invalid wire protocol compression
Summary: CVE-2017-15535 mongodb: Invalid wire protocol compression
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-15535
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1516185
Blocks: 1516186
TreeView+ depends on / blocked
 
Reported: 2017-11-22 08:46 UTC by Andrej Nemec
Modified: 2021-09-20 15:18 UTC (History)
44 users (show)

Fixed In Version: mongodb 3.4.10, mongodb 3.6.0
Doc Type: If docs needed, set a value
Doc Text:
A memory corruption flaw was found in the way MongoDB handled wire protocol compression for intra-cluster communication. A privileged network attacker could potentially use this flaw to crash the MongoDB server under certain circumstances.
Clone Of:
Environment:
Last Closed: 2017-11-27 05:04:41 UTC
Embargoed:


Attachments (Terms of Use)

Description Andrej Nemec 2017-11-22 08:46:52 UTC
MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory.

Upstream issue:

https://jira.mongodb.org/browse/SERVER-31273

Upstream patch [3.4.x]:

https://github.com/mongodb/mongo/commit/5ad69b851801edadbfde8fdf271f4ba7c21170b5

Comment 1 Andrej Nemec 2017-11-22 08:47:36 UTC
Created mongodb tracking bugs for this issue:

Affects: fedora-all [bug 1516185]

Comment 4 Cedric Buissart 2020-02-17 13:58:27 UTC
Statement:

Satellite 6 uses a vulnerable version of MongoDB. However, it does not enable wire protocol compression, and thus the vulnerability can not be triggered. A fix may be provided in a future release.

Comment 5 Yadnyawalk Tale 2021-03-17 10:15:18 UTC
(Not sure why we added 4.10 as a "fixed in" version earlier.. because that is wrong. MongoDB 3.4.10 and 3.6.0 fixing this vulnerability, just corrected the flaw bug.)


Note You need to log in before you can comment on or make changes to this bug.