CVE-2017-15535

Source
Severity High
Remote Yes
Type Arbitrary code execution
Description
MongoDB 3.4.x before 3.4.10, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory of the running process.
Group Package Affected Fixed Severity Status Ticket
AVG-503 mongodb 3.4.9-1 3.6.0-1 High Fixed FS#56379
Date Advisory Group Package Severity Description
05 Jan 2018 ASA-201801-5 AVG-503 mongodb High arbitrary code execution
References
https://jira.mongodb.org/browse/SERVER-31273
https://github.com/mongodb/mongo/commit/5ad69b851801edadbfde8fdf271f4ba7c21170b5
Notes
To disable wire protocol compression, users may specify disabled as the compression engine, either in the command line:

    --networkMessageCompressors disabled

or, alternatively, in the mongod configuration file as:

    net:
        compression:
            compressors: disabled