Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-17252

Upgrade PCRE Version from 8.30 to Latest

    • Minor Change

      Issue Status as of Mar 10, 2015

      ISSUE SUMMARY
      MongoDB ships with PCRE 8.30, which suffers from the following vulnerabilities:

      When running with authentication, users need to be successfully authenticated into MongoDB to be able to exploit these vulnerabilities.

      USER IMPACT
      Remote attackers may cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.

      WORKAROUNDS
      N/A

      AFFECTED VERSIONS
      All MongoDB production releases prior to 2.6.9 and 3.0.1 are affected by this issue.

      FIX VERSION
      The fix is included in the 2.6.9 and 3.0.1 production releases.

      RESOLUTION DETAILS
      Ship MongoDB with a patched 8.36+ version of PCRE that does not suffer from these vulnerabilities.

      ADDITIONAL INFORMATION
      An external security researcher exploited the issue in PCRE to cause a crash in MongoDB. They were issued CVE-2015-2327 and CVE-2015-2328 for their findings. We rate these issues with a CVSS of 6.8

      Original description

      Currently, MongoDB ships with version 8.30 of the PCRE library:

      https://github.com/mongodb/mongo/tree/b0cd366ef38cd300a19379628dd89088b4b19774/src/third_party/pcre-8.30

      This is somewhat out of date.

      It would be good to update this to the latest version, which at time of writing was 8.36 (released October 2014).

            Assignee:
            mark.benvenuto@mongodb.com Mark Benvenuto
            Reporter:
            victor.hooi Victor Hooi
            Votes:
            0 Vote for this issue
            Watchers:
            13 Start watching this issue

              Created:
              Updated:
              Resolved: