CVE-2017-7652
published 2018-04-25CVE-2017-7652: In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration…
PriorityP341high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EPSS
1.68%
74.0th percentile
In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | mosquitto | < mosquitto 1.4.15-1 (bookworm) | mosquitto 1.4.15-1 (bookworm) |
| eclipse | mosquitto | >= 0 < 1.4.15-1 | 1.4.15-1 |
| eclipse | mosquitto | >= 0 < 1.4.15-1 | 1.4.15-1 |
| eclipse | mosquitto | >= 0 < 1.4.15-1 | 1.4.15-1 |
| eclipse | mosquitto | >= 0 < 1.4.15-1 | 1.4.15-1 |
| eclipse | mosquitto | 1.0 – 1.4.14 | — |
| the_eclipse_foundation | eclipse_mosquitto | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-7349-r6vq-ggx3: In Eclipse Mosquitto 1
ghsa_unreviewed·2022-05-13
CVE-2017-7652 [HIGH] GHSA-7349-r6vq-ggx3: In Eclipse Mosquitto 1
In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.
OSV
CVE-2017-7652: In Eclipse Mosquitto 1
osv·2018-04-25·CVSS 7.5
CVE-2017-7652 [HIGH] CVE-2017-7652: In Eclipse Mosquitto 1
In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.
Debian
CVE-2017-7652: mosquitto - In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a confi...
vendor_debian·2017·CVSS 7.5
CVE-2017-7652 [HIGH] CVE-2017-7652: mosquitto - In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a confi...
In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.
Scope: local
bookworm: resolved (fixed in 1.4.15-1)
bullseye: resolved (fixed in 1.4.15-1)
forky: resolved (fixed in 1.4.15-1)
sid: resolved (fixed in 1.4.15-1)
trixie: resolved (fixed in 1.4.15-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-7652 mosquitto: configuration reload fails when no free sockets/file descriptors are available [fedora-all]
bugzilla·2018-03-05·CVSS 7.5
CVE-2017-7652 [HIGH] CVE-2017-7652 mosquitto: configuration reload fails when no free sockets/file descriptors are available [fedora-all]
CVE-2017-7652 mosquitto: configuration reload fails when no free sockets/file descriptors are available [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this is
Bugzilla
CVE-2017-7652 mosquitto: configuration reload fails when no free sockets/file descriptors are available [epel-7]
bugzilla·2018-03-05·CVSS 7.5
CVE-2017-7652 [HIGH] CVE-2017-7652 mosquitto: configuration reload fails when no free sockets/file descriptors are available [epel-7]
CVE-2017-7652 mosquitto: configuration reload fails when no free sockets/file descriptors are available [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the
Bugzilla
CVE-2017-7651 mosquitto: memory exhaustion through multiple crafted CONNECT packets
bugzilla·2018-03-05·CVSS 7.5
CVE-2017-7651 [HIGH] CVE-2017-7651 mosquitto: memory exhaustion through multiple crafted CONNECT packets
CVE-2017-7651 mosquitto: memory exhaustion through multiple crafted CONNECT packets
A flaw was found in mosquitto affecting all versions up to 1.4.14 inclusive. Unauthenticated clients can send a crafted CONNECT packet which causes large amounts of memory use in the broker. If multiple clients do this, an out of memory situation can occur and the system may become unresponsive or the broker will be killed by the operating system.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1549660
https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
Upstream Patch:
https://mosquitto.org/files/cve/2017-7651/
Discussion:
Created mosquitto tracking bugs for this issue:
Affects: fedora-all [bug 1551754]
Affects: epel-7 [bug 1551755]
Bugzilla
CVE-2017-7652 mosquitto: configuration reload fails when no free sockets/file descriptors are available
bugzilla·2018-03-05·CVSS 7.5
CVE-2017-7652 [HIGH] CVE-2017-7652 mosquitto: configuration reload fails when no free sockets/file descriptors are available
CVE-2017-7652 mosquitto: configuration reload fails when no free sockets/file descriptors are available
A flaw was found in mosquitto affecting versions from 1.0 to 1.4.14 inclusive. If the broker has exhausted all of its free sockets/file descriptors and then a SIGHUP signal is received to trigger reloading of the configuration, then the reloading will fail. This results in many of the configuration options, including security options, being set to their default value. This means that authorization and access control may no longer be in place.
References:
https://bugzilla.redhat.com/show_bug.cgi?id=1549665
https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/
Upstream Patch:
https://mosquitto.org/files/cve/2017-7652/
Discussion:
Created mosquitto tracking
https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102https://lists.debian.org/debian-lts-announce/2018/03/msg00037.htmlhttps://lists.debian.org/debian-lts-announce/2018/06/msg00016.htmlhttps://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/https://www.debian.org/security/2018/dsa-4325https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102https://lists.debian.org/debian-lts-announce/2018/03/msg00037.htmlhttps://lists.debian.org/debian-lts-announce/2018/06/msg00016.htmlhttps://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/https://www.debian.org/security/2018/dsa-4325
2018-04-25
Published