[DOCS-5109] Comment on: "about/alerts.txt#security-related" Created: 25/Mar/15  Updated: 03/Nov/17  Resolved: 01/Apr/15

Status: Closed
Project: Documentation
Component/s: None
Affects Version/s: None
Fix Version/s: 01112017-cleanup

Type: Bug Priority: Major - P3
Reporter: Brian Martin Assignee: Unassigned
Resolution: Done Votes: 0
Labels: collector-298ba4e7
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Location: http://www.mongodb.org/about/alerts/#security-related
User-Agent: Opera/9.80 (Windows NT 6.1; WOW64) Presto/2.12.388 Version/12.17
Screen Resolution: 1920 x 1080
repo: mongodb-www-about
source: alerts


Participants:
Days since reply: 8 years, 47 weeks ago

 Description   

03/25/2015 mongod Remotely trigger a denial of service (crash) via a specially crafted regular expression. 2.6.8 and earlier, 3.0.0 2.6.9 and 3.0.1 CVE-2015-2327, CVE-2015-2328 SERVER-17252

SERVER-17252 references CVE-2014-8964 within the ticket, and does not mention either CVE-2015-232x ID on the alerts page. There is no public reference to those two CVEs, and no indication if this is a typo, problems in MongoDB, or problems in PCRE since the original ticket is based on issues in that package. Can you clarify what those two CVE IDs relate to?



 Comments   
Comment by Christopher Sandulow [ 26/Mar/15 ]

Brian

CVE-2014-8964 was issued for a vulnerability in a third party PCRE library.

The MongoDB versions listed in ( http://www.mongodb.org/about/alerts/#security-related ) are vulnerable to denial of service as they use this version of PCRE.

Even though the actual vulnerability is in the underlying PCRE library, we received a vulnerability report from a third party regarding exploiting this version of PCRE in MongoDB to cause a denial of service. That external party requested CVEs for the issues they identified in MongoDB and those CVEs are CVE-2015-2327 and CVE-2015-2328.

I understand this can be confusing; we will update SERVER-17252 with more detail to help clarify this.

Generated at Thu Feb 08 07:49:37 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.