CVE-2017-15535 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary code execution
Description	MongoDB 3.4.x before 3.4.10, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory of the running process.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-503	mongodb	3.4.9-1	3.6.0-1	High	Fixed	FS#56379

Date	Advisory	Group	Package	Severity	Type
05 Jan 2018	ASA-201801-5	AVG-503	mongodb	High	arbitrary code execution

References
https://jira.mongodb.org/browse/SERVER-31273 https://github.com/mongodb/mongo/commit/5ad69b851801edadbfde8fdf271f4ba7c21170b5

Notes
To disable wire protocol compression, users may specify disabled as the compression engine, either in the command line: --networkMessageCompressors disabled or, alternatively, in the mongod configuration file as: net: compression: compressors: disabled

Notes

To disable wire protocol compression, users may specify disabled as the compression engine, either in the command line:

    --networkMessageCompressors disabled

or, alternatively, in the mongod configuration file as:

    net:
        compression:
            compressors: disabled