Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-31273

Use Source/Sink version of snappy functions

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.4.10, 3.6.0-rc0
    • Component/s: Networking, Security
    • Labels:
      None
    • Backwards Compatibility:
      Fully Compatible
    • Backport Requested:
      v3.4
    • Sprint:
      Platforms 2017-10-02

      Description

      Issue Status as of Sep 27, 2017

      ISSUE DESCRIPTION AND IMPACT
      When wire protocol compression is enabled, a malicious attacker may exploit an existing vulnerability to deny service or modify server memory. This vulnerability has been assigned CVE-2017-15535.

      AFFECTED VERSIONS

      • MongoDB 3.2 and older: are not affected by this vulnerability
      • MongoDB 3.4: wire protocol compression was introduced in SERVER-3018 and it first became available in MongoDB 3.4, but it is disabled by default. If wire protocol compression is enabled, MongoDB 3.4.0 to 3.4.9 may be affected by this vulnerability.
      • MongoDB 3.5 development release: 3.5 has wire protocol compression enabled by default and is affected by this vulnerability.
      • MongoDB 3.6 and newer: not affected.

      DIAGNOSIS AND REMEDIATION
      MongoDB 3.4 users may use the getCmdLineOpts command to determine wire protocol compression is enabled. If the networkMessageCompressors parameter is set to snappy, a mongod node is vulnerable.

      To disable wire protocol compression, users may specify disabled as the compression engine, either in the command line:

      --networkMessageCompressors disabled
      

      or, alternatively, in the mongod configuration file as:

       net:
       	compression:
       		compressors: disabled
      

      FIX VERSIONS
      This vulnerability is corrected in MongoDB 3.4.10 and MongoDB 3.6.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: