Major - P3
2.4.12, 2.6.7, 3.0.0-rc8
The mongod server fails to validate some cases of malformed BSON. This failure occurs pre-authentication.
A specially crafted, malformed BSON message may trigger an uncaught exception in the server, resulting in a loss of availability.
There are no workarounds for this issue.
All MongoDB production releases up to 2.6.7 are affected by this issue.
The fix is included in the 2.4.13 and 2.6.8 production releases.
CVE-2015-1609 has been assigned to this issue.
Reject malformed BSON data.
Users may reduce their exposure by limiting network access to the server. See the MongoDB Security documentation page for more information on recommended security practices for your MongoDB deployment. This vulnerability was discovered by Xiaopeng Zhang of Fortinet's FortiGuard Labs and responsibly disclosed to MongoDB, Inc.