Re: MongoDB memory over-read via incorrect BSON object length (was: [HITB-Announce] HITB Magazine Issue 10 Out Now)

[Solar Designer <solar () openwall com>]

On Tue, Jan 07, 2014 at 05:15:11PM -0500, cve-assign () mitre org wrote:
> > There is a memory over-read bug that can be used by an authenticated
> > user (if applicable) to obtain raw MongoDB server process memory
> > contents via incorrect BSON object length.  I guess that under most
> > deployments this does not cross a security boundary, but for some it
> > could (differently-privileged MongoDB users, data already deleted from
> > the DB yet staying in process memory, or/and metadata that is not
> > normally retrievable).
>
> Use CVE-2012-6619.

Thanks!  To make sure MongoDB developers are aware of this, I am CC'ing
this reply to security () mongodb com as specified here:

http://docs.mongodb.org/manual/tutorial/create-a-vulnerability-report/

Past MongoDB security issues are listed here:

http://www.mongodb.org/about/alerts/#security-related

and they don't appear to include this "new" issue yet.

I've just added these two links to:

http://oss-security.openwall.org/wiki/software#mongodb

MongoDB - here's some more context regarding the specific vulnerability
(now known as CVE-2012-6619, as per the assignment above):

http://www.openwall.com/lists/oss-security/2014/01/07/2

Alexander