Exploit fixed in MongoDB NoSQL database

Summary:An exploit has been patched in the scalable NoSQL database MongoDB that would have allowed an attacker to execute malicious code.

An exploit has been fixed in the open source NoSQL database MongoDB that would have allowed an attacker to execute malicious code.

The exploit was demonstrated using the 32-bit, version 2.2.3 of MongoDB, the scalable document database which is used by SAP for the enterprise content management section of parts of its Platform-as-a-Service (PaaS) offerings.

The vulnerability allowed an attacker to use the find function in the MongoDB shell to call the native_helper function in the SpiderMonkey JavaScript engine used in MongoDB. The attacker could then manipulate the arguments sent to native_helper function in order to change memory pointers so the malicious code could be executed.

The latest branch of MongoDB, 2.4, is not affected by the exploit as it switched from SpiderMonkey to Google's V8 JavaScript engine.

A patch has been produced and will be rolled out as part of MongoDB 2.2.4-rc0 in the next 48 hours, and will also be included in the 2.0 branch as part of the 2.0.9 release. 

Topics: Security, Enterprise Software

About

Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.