Vulnerabilities > CVE-2017-15535 - Unspecified vulnerability in Mongodb

047910
CVSS 9.1 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
mongodb
critical
nessus
NVD
Published: 2017-11-01
Updated: 2017-11-22

Summary

MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory.

Vulnerable Configurations

Part Description Count
Application
Mongodb
9

Nessus

  • NASL familyDatabases
    NASL idMONGODB_3_6_0-RC0.NASL
    descriptionThe version of the remote MongoDB server is 3.4.x prior to 3.4.10 / 3.5.x prior to 3.6.0-rc0. It is, therefore, affected by a denial of service vulnerability in mongod networkMessageCompressors due to an implementation error. A remote, unauthenticated attacker can exploit this, to cause a denial of service or to modify server memory. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id122363
    published2019-02-21
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122363
    titleMongoDB 3.4.x < 3.4.10 / 3.5.x < 3.6.0-rc0 mongod
    code
    #
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(122363);
  script_version("1.2");
  script_cvs_date("Date: 2019/10/31 15:18:51");

  script_cve_id("CVE-2017-15535");
  script_bugtraq_id(101689);

  script_name(english:"MongoDB 3.4.x < 3.4.10 / 3.5.x < 3.6.0-rc0 mongod");
  script_summary(english:"Checks the version of MongoDB.");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by a vulnerability that may
result in a denial of service or in the compromise of the server
memory integrity.");
  script_set_attribute(attribute:"description", value:
"The version of the remote MongoDB server is 3.4.x prior to 3.4.10 /
3.5.x prior to 3.6.0-rc0. It is, therefore, affected by a denial of
service vulnerability in mongod networkMessageCompressors due to an
implementation error. A remote, unauthenticated attacker can exploit
this, to cause a denial of service or to modify server memory.

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
  script_set_attribute(attribute:"see_also", value:"https://jira.mongodb.org/browse/SERVER-31273");
  script_set_attribute(attribute:"see_also", value:"https://www.mongodb.com/alerts");
  script_set_attribute(attribute:"solution", value:
"Upgrade to MongoDB version 3.4.10 / 3.6.0-rc0 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-15535");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/10/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/21");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mongodb:mongodb");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mongodb_detect.nasl");
  script_require_keys("Services/mongodb");

  exit(0);
}

include('vcf.inc');

app = 'MongoDB';
port = get_service(svc:'mongodb', default:27017, exit_on_fail:TRUE);
kbVer = 'mongodb/' + port + '/Version';

app_info = vcf::get_app_info(app:app, kb_ver:kbVer, port: port);

constraints = [
  { 'min_version' : '3.4.0', 'fixed_version' : '3.4.10' },
  { 'min_version' : '3.5.0', 'fixed_version' : '3.6.0-rc0'}
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1275.NASL
    descriptionThis update for mongodb 3.4.10 fixes the following issues : Security issues fixed : - CVE-2017-15535: MongoDB 3.4.x before 3.4.10, and 3.5.x-development, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory. (boo#1065956) Bug fixes : - See release-notes for 3.4.4 - 3.4.10 changes. - https://docs.mongodb.com/manual/release-notes/3.4-changelog/
    last seen2020-06-05
    modified2017-11-16
    plugin id104614
    published2017-11-16
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104614
    titleopenSUSE Security Update : mongodb (openSUSE-2017-1275)
    code
    #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update openSUSE-2017-1275.
#
# The text description of this plugin is (C) SUSE LLC.
#

include("compat.inc");

if (description)
{
  script_id(104614);
  script_version("3.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");

  script_cve_id("CVE-2017-15535");

  script_name(english:"openSUSE Security Update : mongodb (openSUSE-2017-1275)");
  script_summary(english:"Check for the openSUSE-2017-1275 patch");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote openSUSE host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"This update for mongodb 3.4.10 fixes the following issues :

Security issues fixed :

  - CVE-2017-15535: MongoDB 3.4.x before 3.4.10, and
    3.5.x-development, has a disabled-by-default
    configuration setting, networkMessageCompressors (aka
    wire protocol compression), which exposes a
    vulnerability when enabled that could be exploited by a
    malicious attacker to deny service or modify memory.
    (boo#1065956)

Bug fixes :

  - See release-notes for 3.4.4 - 3.4.10 changes.

  - https://docs.mongodb.com/manual/release-notes/3.4-changelog/"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1065956"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://docs.mongodb.com/manual/release-notes/3.4-changelog/"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Update the affected mongodb packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mongodb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mongodb-debugsource");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mongodb-mongoperf");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mongodb-mongoperf-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mongodb-mongos");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mongodb-mongos-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mongodb-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mongodb-server-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mongodb-shell");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:mongodb-shell-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/11/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/16");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(x86_64)$") audit(AUDIT_ARCH_NOT, "x86_64", ourarch);

flag = 0;

if ( rpm_check(release:"SUSE42.3", reference:"mongodb-3.4.10-3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"mongodb-debugsource-3.4.10-3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"mongodb-mongoperf-3.4.10-3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"mongodb-mongoperf-debuginfo-3.4.10-3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"mongodb-mongos-3.4.10-3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"mongodb-mongos-debuginfo-3.4.10-3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"mongodb-server-3.4.10-3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"mongodb-server-debuginfo-3.4.10-3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"mongodb-shell-3.4.10-3.1") ) flag++;
if ( rpm_check(release:"SUSE42.3", reference:"mongodb-shell-debuginfo-3.4.10-3.1") ) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mongodb / mongodb-debugsource / mongodb-mongoperf / etc");
}
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2017-0052.NASL
    descriptionAn update of [rsync,python2,procmail,libvirt,linux,mongodb,openssh,binutils,glibc] packages for photonOS has been released.
    last seen2019-02-21
    modified2019-02-07
    plugin id111901
    published2018-08-17
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=111901
    titlePhoton OS 1.0: Binutils / Glibc / Linux / Mongodb / Openssh / Procmail / Python2 / Rsync PHSA-2017-0052 (deprecated)
    code
    #
# (C) Tenable Network Security, Inc.
#
# @DEPRECATED@
#
# Disabled on 2/7/2019
#

# The descriptive text and package checks in this plugin were
# extracted from VMware Security Advisory PHSA-2017-0052. The text
# itself is copyright (C) VMware, Inc.

include("compat.inc");

if (description)
{
  script_id(111901);
  script_version("1.2");
  script_cvs_date("Date: 2019/02/07 18:59:50");

  script_cve_id(
    "CVE-2016-5417",
    "CVE-2017-15115",
    "CVE-2017-15535",
    "CVE-2017-15906",
    "CVE-2017-16548",
    "CVE-2017-16826",
    "CVE-2017-16827",
    "CVE-2017-16828",
    "CVE-2017-16829",
    "CVE-2017-16830",
    "CVE-2017-16831",
    "CVE-2017-16832",
    "CVE-2017-16844",
    "CVE-2017-1000158",
    "CVE-2017-1000256"
  );

  script_name(english:"Photon OS 1.0: Binutils / Glibc / Linux / Mongodb / Openssh / Procmail / Python2 / Rsync PHSA-2017-0052 (deprecated)");
  script_summary(english:"Checks the rpm output for the updated packages.");

  script_set_attribute(attribute:"synopsis", value:
"This plugin has been deprecated.");
  script_set_attribute(attribute:"description", value:
"An update of
[rsync,python2,procmail,libvirt,linux,mongodb,openssh,binutils,glibc]
packages for photonOS has been released.");
  # https://github.com/vmware/photon/wiki/Security-Updates-91
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a72c45fb");
  script_set_attribute(attribute:"solution", value:"n/a.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-16844");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/12/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:binutils");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:glibc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:linux");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:mongodb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:openssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:procmail");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:python2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:rsync");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"PhotonOS Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list");

  exit(0);
}

exit(0, "This plugin has been deprecated.");

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/PhotonOS/release");
if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS");
if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0");

if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu);

flag = 0;

pkgs = [
  "binutils-2.29.1-2.ph1",
  "binutils-debuginfo-2.29.1-2.ph1",
  "binutils-devel-2.29.1-2.ph1",
  "glibc-2.22-17.ph1",
  "glibc-devel-2.22-17.ph1",
  "glibc-lang-2.22-17.ph1",
  "linux-4.4.103-1.ph1",
  "linux-api-headers-4.4.103-1.ph1",
  "linux-debuginfo-4.4.103-1.ph1",
  "linux-dev-4.4.103-1.ph1",
  "linux-docs-4.4.103-1.ph1",
  "linux-drivers-gpu-4.4.103-1.ph1",
  "linux-esx-4.4.103-1.ph1",
  "linux-esx-debuginfo-4.4.103-1.ph1",
  "linux-esx-devel-4.4.103-1.ph1",
  "linux-esx-docs-4.4.103-1.ph1",
  "linux-oprofile-4.4.103-1.ph1",
  "linux-sound-4.4.103-1.ph1",
  "linux-tools-4.4.103-1.ph1",
  "mongodb-3.4.10-1.ph1",
  "mongodb-debuginfo-3.4.10-1.ph1",
  "openssh-7.4p1-7.ph1",
  "openssh-debuginfo-7.4p1-7.ph1",
  "procmail-3.22-4.ph1",
  "python2-2.7.13-4.ph1",
  "python2-debuginfo-2.7.13-4.ph1",
  "python2-devel-2.7.13-4.ph1",
  "python2-libs-2.7.13-4.ph1",
  "python2-tools-2.7.13-4.ph1",
  "rsync-3.1.2-3.ph1",
  "rsync-debuginfo-3.1.2-3.ph1"
];

foreach (pkg in pkgs)
  if (rpm_check(release:"PhotonOS-1.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "binutils / glibc / linux / mongodb / openssh / procmail / python2 / rsync");
}

References