Main Vulnerability Database SB2018031709

SB2018031709 - Fedora 28 update for mosquitto

Published: March 17, 2018 Updated: April 24, 2025

Security Bulletin ID SB2018031709

Severity

Medium

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Denial of service

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2017-7651)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

In Eclipse Mosquitto 1.4.14, a user can shutdown the Mosquitto server simply by filling the RAM memory with a lot of connections with large payload. This can be done without authentications if occur in connection phase of MQTT protocol.

2) Input validation error (CVE-ID: CVE-2017-7652)

The vulnerability allows a remote authenticated user to execute arbitrary code.

In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-2018-d305559481