Researchers at Cisco Talos have identified several potentially serious vulnerabilities in Aerospike Database Server, including remote code execution and information disclosure issues. The flaws were reported to Aerospike and addressed.
Aerospike Database Server is an open source NoSQL database solution designed for applications that require high performance. The product is used by several major brands, including Kayak, AppNexus, Adform, adMarketplace and BlueKai.
Cisco’s Talos security intelligence and research group discovered that Aerospace Database Server 3.10.0.3 – and possibly earlier versions – is affected by three vulnerabilities rated critical and high severity.
One of the flaws, tracked as CVE-2016-9054, is a stack-based buffer overflow in the product’s querying functionality, specifically the “as_sindex__simatch_list_set_binid” function. An attacker who can connect to the listening port can remotely execute arbitrary code via a specially crafted packet that triggers the vulnerability.
The second arbitrary code execution flaw, identified as CVE-2016-9052, is very similar, but it affects a different function, namely “as_sindex__simatch_by_iname.”
The third security hole discovered by Cisco Talos researchers in the Aerospace Database Server, tracked as CVE-2016-9050, is an out-of-bounds read issue that exists in the client message-parsing functionality. By sending a specially crafted packet to the listening port, an attacker can trigger the flaw, which can result in memory disclosure or a denial-of-service (DoS) condition.
Aerospike developers were informed about the vulnerabilities on December 23. Release notes show that the code execution weaknesses were addressed on January 5 in version 3.11.0.
Talos has published advisories containing technical details and proof-of-concept (PoC) code for each of the vulnerabilities.
Cisco recently decided to extend the disclosure timeline for vulnerabilities found by Talos researchers from 60 days to 90 days after data collected by the company showed that the average time-to-patch had been 78 days.
Related Reading: Code Execution Flaws Patched in HDF5 Library
Related Reading: OpenJPEG Flaw Allows Code Execution via Malicious Image Files
Related Reading: Hackers Can Exploit LibreOffice Flaw With RTF Files
