Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)
From: Chris Sandulow <security () mongodb com>
Date: Wed, 8 Jan 2014 11:13:26 -0500

The issue described in
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6619 was originally
reported to MongoDB by Positive Technologies (ptsecurity.ru) in November
2012, with credit listed to Mikhail Firstov of Positive Research Center
(Positive Technologies Company).  See
https://jira.mongodb.org/browse/SERVER-7769 for more details.  The issue
had also been identified earlier as a potential denial of service condition.

The issue was resolved in December 2012 in MongoDB 2.3.2 when strict BSON
object checking was enabled by default.  In earlier versions this check
needs to be explicitly enabled with the --objcheck argument to the server,
which prevents insertion of records which could trigger the issue.

Thanks,



On Tue, Jan 7, 2014 at 6:58 PM, Solar Designer <solar () openwall com> wrote:

On Tue, Jan 07, 2014 at 05:15:11PM -0500, cve-assign () mitre org wrote:
There is a memory over-read bug that can be used by an authenticated
user (if applicable) to obtain raw MongoDB server process memory
contents via incorrect BSON object length.  I guess that under most
deployments this does not cross a security boundary, but for some it
could (differently-privileged MongoDB users, data already deleted from
the DB yet staying in process memory, or/and metadata that is not
normally retrievable).

Use CVE-2012-6619.

Thanks!  To make sure MongoDB developers are aware of this, I am CC'ing
this reply to security () mongodb com as specified here:

http://docs.mongodb.org/manual/tutorial/create-a-vulnerability-report/

Past MongoDB security issues are listed here:

http://www.mongodb.org/about/alerts/#security-related

and they don't appear to include this "new" issue yet.

I've just added these two links to:

http://oss-security.openwall.org/wiki/software#mongodb

MongoDB - here's some more context regarding the specific vulnerability
(now known as CVE-2012-6619, as per the assignment above):

http://www.openwall.com/lists/oss-security/2014/01/07/2

Alexander


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault