New vulnerabilities in MongoDB – SERVER-17521, SERVER-17252, SERVER-17264

Three new vulnerabilities have been discovered in MongoDB for which it should be upgraded to the latest releases as explained below.

CVE-2015-2705

MongoDB is susceptible to a denial of service (crash) due to failure to check for missing value. When running with authentication, an attacker needs to be successfully authenticated into MongoDB and have write access to a database to be able to exploit this vulnerability. Remote attackers may cause a denial of service (crash). MongoDB 3.0.0 is affected by this issue. The fix is included in the 3.0.1 production releases.

CVE-2015-2327, CVE-2015-2328

MongoDB ships with PCRE 8.30, which suffers from the following vulnerabilities:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8964

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8964

When running with authentication, users need to be successfully authenticated into MongoDB to be able to exploit these vulnerabilities. Remote attackers may cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats. All MongoDB production releases prior to 2.6.9 and 3.0.1 are affected by this issue. The fix is included in the 2.6.9 and 3.0.1 production releases.

CVE-2015-1609

The mongodb server fails to validate some cases of malformed BSON. This failure occurs pre-authentication. A specially crafted, malformed BSON message may trigger an uncaught exception in the server, resulting in a loss of availability. All MongoDB production releases up to 2.6.7 are affected by this issue. The fix is included in the 2.4.13 and 2.6.8 production releases. Please check the following tutorial for any upgrade assistance:

http://docs.mongodb.org/manual/tutorial/upgrade-revision/

Please mail us at managed-support@e2enetworks.com or support@e2enetworks.com, as applicable, for any queries that you may have.