Fortinet Discovers MongoDB Remote Denial of Service Vulnerability
Fortinet's FortiGuard Labs has discovered a remote denial of service vulnerability in MongoDB.
MongoDB is a cross-platform document-oriented database. Classified as a non-SQL database, MongoDB eschews the traditional table-based relational database structure in favor of JSON-like documents with dynamic schemas, making the integration of data in certain types of applications easier and faster.
The vulnerability allows remote attackers to launch a denial of service attack without providing any authentication credentials.
SolutionsFortiGuard Labs released the following FortiGate IPS signature which covers this specific vulnerability:
Released Feb 12, 2015
Users should apply the solution provided by MongoDB.
MongoDB fails to validate malformed BSON message. A specially crafted BSON message may trigger an uncaught exception in the server, which can result in a loss of availability. Since authentication is not required to exploit it, we suggest MongoDB users upgrading their MongoDB as soon as possible.
This vulnerability was discovered by Xiaopeng Zhang of Fortinet's FortiGuard Labs.