-
Type: Improvement
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: 2.6.7, 3.0.0-rc8
-
Component/s: Build, Internal Code
ISSUE SUMMARY
MongoDB ships with PCRE 8.30, which suffers from the following vulnerabilities:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8964
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8964
When running with authentication, users need to be successfully authenticated into MongoDB to be able to exploit these vulnerabilities.
USER IMPACT
Remote attackers may cause a denial of service (crash) or have other unspecified impact via a crafted regular expression, related to an assertion that allows zero repeats.
WORKAROUNDS
N/A
AFFECTED VERSIONS
All MongoDB production releases prior to 2.6.9 and 3.0.1 are affected by this issue.
FIX VERSION
The fix is included in the 2.6.9 and 3.0.1 production releases.
RESOLUTION DETAILS
Ship MongoDB with a patched 8.36+ version of PCRE that does not suffer from these vulnerabilities.
ADDITIONAL INFORMATION
An external security researcher exploited the issue in PCRE to cause a crash in MongoDB. They were issued CVE-2015-2327 and CVE-2015-2328 for their findings. We rate these issues with a CVSS of 6.8
Original description
Currently, MongoDB ships with version 8.30 of the PCRE library:
This is somewhat out of date.
It would be good to update this to the latest version, which at time of writing was 8.36 (released October 2014).