[SERVER-17264] improve bson validation Created: 12/Feb/15  Updated: 07/Jun/17  Resolved: 17/Feb/15

Status: Closed
Project: Core Server
Component/s: Networking
Affects Version/s: 2.4.12, 2.6.7, 3.0.0-rc8
Fix Version/s: 2.4.13, 2.6.8, 3.0.0-rc9, 3.1.0

Type: Improvement Priority: Major - P3
Reporter: Eliot Horowitz (Inactive) Assignee: Eliot Horowitz (Inactive)
Resolution: Done Votes: 0
Labels: asp, asp-cve, asp-sdl-reported, asp-vuln-dos
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
Tested
Backwards Compatibility: Fully Compatible
Backport Completed:
Participants:

 Description   
Issue Status as of Feb 17, 2015

ISSUE SUMMARY
The mongod server fails to validate some cases of malformed BSON. This failure occurs pre-authentication.

USER IMPACT
A specially crafted, malformed BSON message may trigger an uncaught exception in the server, resulting in a loss of availability.

WORKAROUNDS
There are no workarounds for this issue.

AFFECTED VERSIONS
All MongoDB production releases up to 2.6.7 are affected by this issue.

FIX VERSION
The fix is included in the 2.4.13 and 2.6.8 production releases.
CVE-2015-1609 has been assigned to this issue.

RESOLUTION DETAILS
Reject malformed BSON data.

ADDITIONAL NOTES
Users may reduce their exposure by limiting network access to the server. See the MongoDB Security documentation page for more information on recommended security practices for your MongoDB deployment. This vulnerability was discovered by Xiaopeng Zhang of Fortinet's FortiGuard Labs and responsibly disclosed to MongoDB, Inc.



 Comments   
Comment by Githook User [ 17/Feb/15 ]

Author:

{u'username': u'erh', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}

Message: SERVER-17264: improve bson validation for utf-8 strings

(cherry picked from commit 394a8569ff14a215c0691aa34440227b2e62a4de)

Conflicts:
src/mongo/bson/bson_validate_test.cpp
Branch: v2.4
https://github.com/mongodb/mongo/commit/3a7e85ea1f672f702660e5472566234b1d19038e

Comment by Githook User [ 12/Feb/15 ]

Author:

{u'username': u'erh', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}

Message: SERVER-17264: improve bson validation for utf-8 strings

(cherry picked from commit 394a8569ff14a215c0691aa34440227b2e62a4de)
Branch: v2.6
https://github.com/mongodb/mongo/commit/8f1c734c7f1862180f607c241fb167640889efba

Comment by Githook User [ 12/Feb/15 ]

Author:

{u'username': u'erh', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}

Message: SERVER-17264: improve bson validation for utf-8 strings

(cherry picked from commit 394a8569ff14a215c0691aa34440227b2e62a4de)
Branch: v3.0
https://github.com/mongodb/mongo/commit/5285225e71c5c0652520ef99d0ae4ca24655f72f

Comment by Githook User [ 12/Feb/15 ]

Author:

{u'username': u'erh', u'name': u'Eliot Horowitz', u'email': u'eliot@10gen.com'}

Message: SERVER-17264: improve bson validation for utf-8 strings
Branch: master
https://github.com/mongodb/mongo/commit/394a8569ff14a215c0691aa34440227b2e62a4de

Generated at Thu Feb 08 03:43:50 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.