| Severity |
|
| Remote |
|
| Type |
| + |
Arbitrary code execution |
|
| Description |
| + |
MongoDB 3.4.x before 3.4.10, has a disabled-by-default configuration setting, networkMessageCompressors (aka wire protocol compression), which exposes a vulnerability when enabled that could be exploited by a malicious attacker to deny service or modify memory of the running process. |
|
| References |
| + |
https://jira.mongodb.org/browse/SERVER-31273 |
| + |
https://github.com/mongodb/mongo/commit/5ad69b851801edadbfde8fdf271f4ba7c21170b5 |
|
| Notes |
| + |
To disable wire protocol compression, users may specify disabled as the compression engine, either in the command line: |
| + |
|
| + |
--networkMessageCompressors disabled |
| + |
|
| + |
or, alternatively, in the mongod configuration file as: |
| + |
|
| + |
net: |
| + |
compression: |
| + |
compressors: disabled |
|