Exploit fixed in MongoDB NoSQL database

An exploit has been patched in the scalable NoSQL database MongoDB that would have allowed an attacker to execute malicious code.

An exploit has been fixed in the open source NoSQL database MongoDB that would have allowed an attacker to execute malicious code.

The exploit was demonstrated using the 32-bit, version 2.2.3 of MongoDB, the scalable document database which is used by SAP for the enterprise content management section of parts of its Platform-as-a-Service (PaaS) offerings.

The vulnerability allowed an attacker to use the find function in the MongoDB shell to call the native_helper function in the SpiderMonkey JavaScript engine used in MongoDB. The attacker could then manipulate the arguments sent to native_helper function in order to change memory pointers so the malicious code could be executed.

The latest branch of MongoDB, 2.4, is not affected by the exploit as it switched from SpiderMonkey to Google's V8 JavaScript engine.

A patch has been produced and will be rolled out as part of MongoDB 2.2.4-rc0 in the next 48 hours, and will also be included in the 2.0 branch as part of the 2.0.9 release. 

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All