[ASA-201801-5] mongodb: arbitrary code execution

Morten Linderud foxboron at archlinux.org
Sun Jan 7 14:47:32 UTC 2018


Arch Linux Security Advisory ASA-201801-5
=========================================

Severity: High
Date    : 2018-01-05
CVE-ID  : CVE-2017-15535
Package : mongodb
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-503

Summary
=======

The package mongodb before version 3.6.0-1 is vulnerable to arbitrary
code execution.

Resolution
==========

Upgrade to 3.6.0-1.

# pacman -Syu "mongodb>=3.6.0-1"

The problem has been fixed upstream in version 3.6.0.

Workaround
==========

To disable wire protocol compression, users may specify disabled as the
compression engine, either in the command line:

    --networkMessageCompressors disabled

or, alternatively, in the mongod configuration file as:

    net:
        compression:
            compressors: disabled

Description
===========

MongoDB 3.4.x before 3.4.10, has a disabled-by-default configuration
setting, networkMessageCompressors (aka wire protocol compression),
which exposes a vulnerability when enabled that could be exploited by a
malicious attacker to deny service or modify memory of the running
process.

Impact
======

A remote unprivileged attacker is able to crash the mongodb service or
modify memory of the running process.

References
==========

https://bugs.archlinux.org/task/56379
https://jira.mongodb.org/browse/SERVER-31273
https://github.com/mongodb/mongo/commit/5ad69b851801edadbfde8fdf271f4ba7c21170b5
https://security.archlinux.org/CVE-2017-15535
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20180107/7c6a4e86/attachment.asc>


More information about the arch-security mailing list