1200446 – (CVE-2015-1609) CVE-2015-1609 mongodb: DoS due to improper BSON validation

Bug 1200446 (CVE-2015-1609) - CVE-2015-1609 mongodb: DoS due to improper BSON validation

Summary: CVE-2015-1609 mongodb: DoS due to improper BSON validation

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-1609
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1200447 1200448 1200449
Blocks:	1200450
TreeView+	depends on / blocked

Reported:	2015-03-10 15:14 UTC by Martin Prpič
Modified:	2021-10-21 00:44 UTC (History)
CC List:	35 users (show)
Fixed In Version:	mongodb 2.4.13, mongodb 2.6.8, mongodb 3.0.0-rc9, mongodb 3.1.0
Doc Type:	Bug Fix
Doc Text:	A flaw was found in the way MongoDB processed certain BSON-serialized UTF-8 strings. A remote, unauthenticated attacker could use this flaw to crash a mongod server via a specially crafted BSON message.
Clone Of:
Environment:
Last Closed:	2021-10-21 00:44:01 UTC
Embargoed:

Attachments	(Terms of Use)

Description Martin Prpič 2015-03-10 15:14:42 UTC

It was found that the mongod server did not correctly validate certain malformed BSON requests. A remote, unauthenticated  attacker could use a specially crafted BSON message to crash a mongod server.

Upstream issue:

https://jira.mongodb.org/browse/SERVER-17264

Upstream patches:

2.4 -- https://github.com/mongodb/mongo/commit/3a7e85ea1f672f702660e5472566234b1d19038e
2.6 -- https://github.com/mongodb/mongo/commit/8f1c734c7f1862180f607c241fb167640889efba
3.0 -- https://github.com/mongodb/mongo/commit/5285225e71c5c0652520ef99d0ae4ca24655f72f

Comment 1 Martin Prpič 2015-03-10 15:15:43 UTC

Created mongodb tracking bugs for this issue:

Affects: fedora-all [bug 1200447]
Affects: epel-6 [bug 1200448]
Affects: epel-7 [bug 1200449]

Comment 2 Fedora Update System 2015-03-21 05:01:20 UTC

mongodb-2.6.8-1.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 3 Fedora Update System 2015-03-29 04:57:06 UTC

mongodb-2.4.13-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Fedora Update System 2015-04-10 19:15:46 UTC

mongodb-2.4.13-1.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.

abaron
admiller
apevec
bkearney
bleanhar
bretm
cbillett
ccoleman
chrisw
cpelland
dallan
dmcphers
gkotton
gmollett
hhorak
jialiu
jim
johan.o.hedin
jokerman
jorton
katello-bugs
lhh
lmeyer
lpeer
markmc
mmaslano
mmccomas
mmccune
nathaniel
rbryant
sclewis
srevivo
strobert
tdawson
tomckay