ISSUE DESCRIPTION AND IMPACT
When wire protocol compression is enabled, a malicious attacker may exploit an existing vulnerability to deny service or modify server memory. This vulnerability has been assigned CVE-2017-15535.
- MongoDB 3.2 and older: are not affected by this vulnerability
- MongoDB 3.4: wire protocol compression was introduced in
SERVER-3018 and it first became available in MongoDB 3.4, but it is disabled by default. If wire protocol compression is enabled, MongoDB 3.4.0 to 3.4.9 may be affected by this vulnerability.
- MongoDB 3.5 development release: 3.5 has wire protocol compression enabled by default and is affected by this vulnerability.
- MongoDB 3.6 and newer: not affected.
DIAGNOSIS AND REMEDIATION
MongoDB 3.4 users may use the getCmdLineOpts command to determine wire protocol compression is enabled. If the networkMessageCompressors parameter is set to snappy, a mongod node is vulnerable.
To disable wire protocol compression, users may specify disabled as the compression engine, either in the command line:
or, alternatively, in the mongod configuration file as:
This vulnerability is corrected in MongoDB 3.4.10 and MongoDB 3.6.