Resource exhaustion in mosquitto (Alpine package)



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2017-7651
CWE-ID CWE-400
Exploitation vector Network
Public exploit N/A
Vulnerable software
 mosquitto (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Resource exhaustion

EUVDB-ID: #VU33230

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2017-7651

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.

Mitigation

Install update from vendor's website.

Vulnerable software versions

mosquitto (Alpine package): 1.4.12-r0 - 1.4.14-r5

CPE2.3 External links

https://git.alpinelinux.org/aports/commit/?id=1010882df397e3c8f889b1f5bc658e870d5f52a6
https://git.alpinelinux.org/aports/commit/?id=9fd49ead7922a262370c74c063833035c26ef731
https://git.alpinelinux.org/aports/commit/?id=f61baacc21feda8c0f7177144a4dd3ee81aa7735
https://git.alpinelinux.org/aports/commit/?id=19539511a24c68d6a70c19ae7f30e6a11736caff
https://git.alpinelinux.org/aports/commit/?id=73a38747e43d9c0420fe000dbb786b2c02b51698


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###