[SERVER-17252] Upgrade PCRE Version from 8.30 to Latest Created: 11/Feb/15  Updated: 07/Jun/17  Resolved: 05/Mar/15

Status: Closed
Project: Core Server
Component/s: Build, Internal Code
Affects Version/s: 2.6.7, 3.0.0-rc8
Fix Version/s: 2.4.14, 2.6.9, 3.0.1, 3.1.0

Type: Improvement Priority: Major - P3
Reporter: Victor Hooi Assignee: Mark Benvenuto
Resolution: Done Votes: 0
Labels: asp, asp-cve, asp-sdl-reported, asp-vuln-dos
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Documented
is documented by DOCS-5260 update pcre version Closed
Related
Backwards Compatibility: Minor Change
Backport Completed:
Participants:

 Description   
Issue Status as of Mar 10, 2015

ISSUE SUMMARY
MongoDB ships with PCRE 8.30, which suffers from the following vulnerabilities:

When running with authentication, users need to be successfully authenticated into MongoDB to be able to exploit these vulnerabilities.

USER IMPACT
Remote attackers may cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.

WORKAROUNDS
N/A

AFFECTED VERSIONS
All MongoDB production releases prior to 2.6.9 and 3.0.1 are affected by this issue.

FIX VERSION
The fix is included in the 2.6.9 and 3.0.1 production releases.

RESOLUTION DETAILS
Ship MongoDB with a patched 8.36+ version of PCRE that does not suffer from these vulnerabilities.

ADDITIONAL INFORMATION
An external security researcher exploited the issue in PCRE to cause a crash in MongoDB. They were issued CVE-2015-2327 and CVE-2015-2328 for their findings. We rate these issues with a CVSS of 6.8

Original description

Currently, MongoDB ships with version 8.30 of the PCRE library:

https://github.com/mongodb/mongo/tree/b0cd366ef38cd300a19379628dd89088b4b19774/src/third_party/pcre-8.30

This is somewhat out of date.

It would be good to update this to the latest version, which at time of writing was 8.36 (released October 2014).



 Comments   
Comment by Daniel Pasette (Inactive) [ 07/Apr/15 ]

There are no version of v2.4 that have the fix other than the nightly build. v2.6 and v3.0 both have the fix in production releases.
To be clear, a malicious user can only attack from behind the firewall.

Comment by sheyda amini [ 07/Apr/15 ]

I may have to rephrase my question, does this mean that other releases on v2.4.x have the fix? We are running 2.4.6.

Comment by sheyda amini [ 06/Apr/15 ]

Thanks! Any idea when 2.4.14 will be released?

Comment by Daniel Pasette (Inactive) [ 04/Apr/15 ]

the fix has been backported to the v2.4 branch, but the 2.4.14 version has not yet been released.

Comment by sheyda amini [ 03/Apr/15 ]

Does Release 2.4.14 also contain the fix for security vulnerability that has been fixed in version 2.6.9 and later ?

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: 8.36 SCons Integration - 2.6 compatibility

(cherry picked from commit 62c7c349095713d14e6035f356981398a16c55a6)
Branch: v2.4
https://github.com/mongodb/mongo/commit/22251f7783f3fcef07f6745da19d3e1a4f792391

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: PCRE 8.36 SCons Integration

(cherry picked from commit 69db0b402891afe1e91ce03cd82c0a3c15fca48e)
(cherry picked from commit 525f13d490317e235fe7bbe193d23ed9362dd16a)
Branch: v2.4
https://github.com/mongodb/mongo/commit/7805c5042c81d2b8aec94a6c8b90fd912e4017fa

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: PCRE 8.36 SCons Integration

(cherry picked from commit b3085ab4f62cb80a5a2f63afe5a0be687c799a96)
(cherry picked from commit 4eb56a194b5d1f4123f1b66b6cef7bba54e3d352)
Branch: v2.4
https://github.com/mongodb/mongo/commit/88f8524ed4d346e68162bcc88d720e3c1600012d

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: CVE-2014-8964: Fix zero-repeat assertion condition bug.

(cherry picked from commit 558a019e51175b874de11f96c276f6be633fea91)
(cherry picked from commit 060ec05e9af5530830781da7e69510b8a7474f80)
Branch: v2.4
https://github.com/mongodb/mongo/commit/e8a768d0f47d92d56308ea45c4e5dd98f89b4c07

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: PPCRE 8.36

(cherry picked from commit 21ab861effaa74362fc29fc7b20e3d413794f0ba)
(cherry picked from commit 551728cbb5134f83859b90dc13bfe0174c1e6493)
Branch: v2.4
https://github.com/mongodb/mongo/commit/32dbdb01ca606df9b639a9569d0be9c226b95cd6

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: PCRE 8.36 SCons Integration

(cherry picked from commit 69db0b402891afe1e91ce03cd82c0a3c15fca48e)
Branch: v3.0
https://github.com/mongodb/mongo/commit/0c40d5b4610a595274800ee4f34dc16e87ed3175

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: PCRE 8.36 SCons Integration

(cherry picked from commit b3085ab4f62cb80a5a2f63afe5a0be687c799a96)
Branch: v3.0
https://github.com/mongodb/mongo/commit/168a9669cadf76e8ee7d0bb187c96a2efbad8bc9

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: CVE-2014-8964: Fix zero-repeat assertion condition bug.

(cherry picked from commit 558a019e51175b874de11f96c276f6be633fea91)
Branch: v3.0
https://github.com/mongodb/mongo/commit/d101f2d09375b594a3d6051271decd565d389a81

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: PPCRE 8.36

(cherry picked from commit 21ab861effaa74362fc29fc7b20e3d413794f0ba)
Branch: v3.0
https://github.com/mongodb/mongo/commit/1f27066186e908dbdcad34f857b0b115219e8c40

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: 8.36 SCons Integration - 2.6 compatibility
Branch: v2.6
https://github.com/mongodb/mongo/commit/62c7c349095713d14e6035f356981398a16c55a6

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: PCRE 8.36 SCons Integration

(cherry picked from commit 69db0b402891afe1e91ce03cd82c0a3c15fca48e)
Branch: v2.6
https://github.com/mongodb/mongo/commit/525f13d490317e235fe7bbe193d23ed9362dd16a

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: PCRE 8.36 SCons Integration

(cherry picked from commit b3085ab4f62cb80a5a2f63afe5a0be687c799a96)
Branch: v2.6
https://github.com/mongodb/mongo/commit/4eb56a194b5d1f4123f1b66b6cef7bba54e3d352

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: CVE-2014-8964: Fix zero-repeat assertion condition bug.

(cherry picked from commit 558a019e51175b874de11f96c276f6be633fea91)
Branch: v2.6
https://github.com/mongodb/mongo/commit/060ec05e9af5530830781da7e69510b8a7474f80

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: PPCRE 8.36

(cherry picked from commit 21ab861effaa74362fc29fc7b20e3d413794f0ba)
Branch: v2.6
https://github.com/mongodb/mongo/commit/551728cbb5134f83859b90dc13bfe0174c1e6493

Comment by Githook User [ 05/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: PCRE 8.36 SCons Integration
Branch: master
https://github.com/mongodb/mongo/commit/69db0b402891afe1e91ce03cd82c0a3c15fca48e

Comment by Githook User [ 04/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: PCRE 8.36 SCons Integration
Branch: master
https://github.com/mongodb/mongo/commit/b3085ab4f62cb80a5a2f63afe5a0be687c799a96

Comment by Githook User [ 04/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: CVE-2014-8964: Fix zero-repeat assertion condition bug.
Branch: master
https://github.com/mongodb/mongo/commit/558a019e51175b874de11f96c276f6be633fea91

Comment by Githook User [ 04/Mar/15 ]

Author:

{u'username': u'markbenvenuto', u'name': u'Mark Benvenuto', u'email': u'mark.benvenuto@mongodb.com'}

Message: SERVER-17252: PPCRE 8.36
Branch: master
https://github.com/mongodb/mongo/commit/21ab861effaa74362fc29fc7b20e3d413794f0ba

Generated at Thu Feb 08 03:43:47 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.