edit-icon download-icon

[Vulnerability notice] CVE-2017-15535: Memory corruption vulnerability in MongoDB

Last Updated: Apr 08, 2018

On October 30, 2017, MongoDB was reported to have a remote memory-corruption vulnerability (CVE-2017-15535). Attackers can deny service or modify memory. This vulnerability may result in unauthorized code execution, but has not been confirmed yet. MongoDB 3.4.0 to 3.4.9 are affected.

In the first six months of 2017, MongoDB suffered from data extortion multiple times. For the sake of service security, we recommend that you keep yourself updated with MongoDB vulnerabilities and fix them timely to prevent security events seriously affecting service stability, such as unauthorized data deletion.

See the following for more information about the vulnerability.


CVE identifier

CVE-2017-15535

Vulnerability name

MongoDB memory corruption vulnerability

Vulnerability rating

High

Vulnerability description

When wire protocol compression is enabled, malicious attackers may exploit the existing vulnerability to deny service or modify server memory.

Condition and method of exploitation

Remote exploitation by using PoC

PoC status

Unpublished

Affected scope

MongoDB 3.4.0 to 3.4.9

Unaffected versions: 3.4.10 and 3.6.0-rc0

Vulnerability detection

Check whether any affected version of MongoDB is used.

How to fix or mitigate

  • MongoDB has released the latest version. We recommend that you upgrade MongoDB to 3.4.10 or a later version to fix the vulnerability.

  • We recommend that you manually perform Security hardening on MongoDB after you finish installing and deploying it.

Reference

[1]. https://www.mongodb.com/alerts/
[2]. http://www.securityfocus.com/bid/101689/info

Thank you! We've received your feedback.