MongoDB < 2.3.2 BSON Object Length Handling Memory Disclosure

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote database server is affected by an information disclosure
vulnerability.

Description :

The version of the remote MongoDB server is a version prior to 2.3.2.
It is, therefore, potentially affected by an information disclosure
vulnerability. An error exists related to handling BSON (Binary
JavaScript Object Notation) objects having incorrect length that could
allow possible disclosure of information held in memory.

See also :

http://www.mongodb.org/about/alerts/#security-related
http://www.nessus.org/u?4cbacf08
https://jira.mongodb.org/browse/SERVER-7769
http://article.gmane.org/gmane.comp.security.oss.general/11822
http://blog.ptsecurity.com/2012/11/attacking-mongodb_26.html

Solution :

Upgrade to MongoDB 2.3.2 / 2.4.0 or later. Alternatively, use the
'--objcheck' command line switch to force object checking.

Note that version 2.3.2 is a development version and is not recommended
for production use.

Risk factor :

Medium / CVSS Base Score : 4.0
(CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVSS Temporal Score : 4.0
(CVSS2#E:ND/RL:U/RC:ND)
Public Exploit Available : true

Family: Databases

Nessus Plugin ID: 72334 ()

Bugtraq ID: 64687

CVE ID: CVE-2012-6619