[SERVER-31273] Use Source/Sink version of snappy functions Created: 26/Sep/17  Updated: 30/Oct/23  Resolved: 02/Oct/17

Status: Closed
Project: Core Server
Component/s: Networking, Security
Affects Version/s: None
Fix Version/s: 3.4.10, 3.6.0-rc0

Type: Improvement Priority: Major - P3
Reporter: Jonathan Reams Assignee: Jonathan Reams
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Related
Backwards Compatibility: Fully Compatible
Backport Requested:
v3.4
Sprint: Platforms 2017-10-02
Participants:

 Description   
Issue Status as of Sep 27, 2017

ISSUE DESCRIPTION AND IMPACT
When wire protocol compression is enabled, a malicious attacker may exploit an existing vulnerability to deny service or modify server memory. This vulnerability has been assigned CVE-2017-15535.

AFFECTED VERSIONS

  • MongoDB 3.2 and older: are not affected by this vulnerability
  • MongoDB 3.4: wire protocol compression was introduced in SERVER-3018 and it first became available in MongoDB 3.4, but it is disabled by default. If wire protocol compression is enabled, MongoDB 3.4.0 to 3.4.9 may be affected by this vulnerability.
  • MongoDB 3.5 development release: 3.5 has wire protocol compression enabled by default and is affected by this vulnerability.
  • MongoDB 3.6 and newer: not affected.

DIAGNOSIS AND REMEDIATION
MongoDB 3.4 users may use the getCmdLineOpts command to determine wire protocol compression is enabled. If the networkMessageCompressors parameter is set to snappy, a mongod node is vulnerable.

To disable wire protocol compression, users may specify disabled as the compression engine, either in the command line:

--networkMessageCompressors disabled

or, alternatively, in the mongod configuration file as:

 net:
 	compression:
 		compressors: disabled

FIX VERSIONS
This vulnerability is corrected in MongoDB 3.4.10 and MongoDB 3.6.



 Comments   
Comment by Githook User [ 02/Oct/17 ]

Author:

{'email': 'jbreams@mongodb.com', 'name': 'Jonathan Reams', 'username': 'jbreams'}

Message: SERVER-31273 Use Source/Sink version of snappy functions

(cherry picked from commit 59ead734faa8aa51f0c53bf2bd39d0a0247ddf99)
Branch: v3.4
https://github.com/mongodb/mongo/commit/5ad69b851801edadbfde8fdf271f4ba7c21170b5

Comment by Githook User [ 29/Sep/17 ]

Author:

{'email': 'jbreams@mongodb.com', 'name': 'Jonathan Reams', 'username': 'jbreams'}

Message: SERVER-31273 Use Source/Sink version of snappy functions
Branch: master
https://github.com/mongodb/mongo/commit/59ead734faa8aa51f0c53bf2bd39d0a0247ddf99

Generated at Thu Feb 08 04:26:30 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.