On October 30, 2017, MongoDB was reported to have a remote memory-corruption vulnerability (CVE-2017-15535). Attackers can deny service or modify memory. This vulnerability may result in unauthorized code execution, but has not been confirmed yet. MongoDB 3.4.0 to 3.4.9 are affected.
In the first six months of 2017, MongoDB suffered from data extortion multiple times. For the sake of service security, we recommend that you keep yourself updated with MongoDB vulnerabilities and fix them timely to prevent security events seriously affecting service stability, such as unauthorized data deletion.
See the following for more information about the vulnerability.
MongoDB memory corruption vulnerability
When wire protocol compression is enabled, malicious attackers may exploit the existing vulnerability to deny service or modify server memory.
Condition and method of exploitation
Remote exploitation by using PoC
MongoDB 3.4.0 to 3.4.9
Unaffected versions: 3.4.10 and 3.6.0-rc0
Check whether any affected version of MongoDB is used.
How to fix or mitigate
MongoDB has released the latest version. We recommend that you upgrade MongoDB to 3.4.10 or a later version to fix the vulnerability.
We recommend that you manually perform Security hardening on MongoDB after you finish installing and deploying it.