[Japanese]

JVNDB-2017-000252

MQTT.js issue in handling PUBLISH packets

Overview

MQTT.js is a client library for MQTT. MQTT.js contains an issue in handling PUBLISH packets sent from an MQTT Broker.

Masataka Sakaguchi, Bintatsu Noda and Hisashi Kojima of Fujitsu Laboratories Ltd.reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

Base Metrics: 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial

CVSS V3 Severity:
Base Metrics: 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
Affected Products


MQTT.js
  • MQTT.js 2.x.x prior to 2.15.0

Impact

Receiving a large number of packets from an MQTT broker may result in a denial-of-service (DoS) condition.
Solution

[Update MQTT.js and rebuild the application]
Developers of applications that use MQTT.js should update MQTT.js and re-build the application.
Vendor Information

MQTT.js
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-10910
References

  1. JVN : JVN#45494523
Revision History

[2017/12/25]
  Web page was published