Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-31273

Use Source/Sink version of snappy functions

XMLWordPrintableJSON

    • Fully Compatible
    • v3.4
    • Platforms 2017-10-02

      Issue Status as of Sep 27, 2017

      ISSUE DESCRIPTION AND IMPACT
      When wire protocol compression is enabled, a malicious attacker may exploit an existing vulnerability to deny service or modify server memory. This vulnerability has been assigned CVE-2017-15535.

      AFFECTED VERSIONS

      • MongoDB 3.2 and older: are not affected by this vulnerability
      • MongoDB 3.4: wire protocol compression was introduced in SERVER-3018 and it first became available in MongoDB 3.4, but it is disabled by default. If wire protocol compression is enabled, MongoDB 3.4.0 to 3.4.9 may be affected by this vulnerability.
      • MongoDB 3.5 development release: 3.5 has wire protocol compression enabled by default and is affected by this vulnerability.
      • MongoDB 3.6 and newer: not affected.

      DIAGNOSIS AND REMEDIATION
      MongoDB 3.4 users may use the getCmdLineOpts command to determine wire protocol compression is enabled. If the networkMessageCompressors parameter is set to snappy, a mongod node is vulnerable.

      To disable wire protocol compression, users may specify disabled as the compression engine, either in the command line:

      --networkMessageCompressors disabled

      or, alternatively, in the mongod configuration file as:

       net:
 	compression:
 		compressors: disabled

      FIX VERSIONS
      This vulnerability is corrected in MongoDB 3.4.10 and MongoDB 3.6.

            Assignee:
            jonathan.reams@mongodb.com Jonathan Reams
            Reporter:
            jonathan.reams@mongodb.com Jonathan Reams
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: