[Japanese]

JVNDB-2017-000252

MQTT.js issue in handling PUBLISH packets

Overview

MQTT.js is a client library for MQTT. MQTT.js contains an issue in handling PUBLISH packets sent from an MQTT Broker.

Masataka Sakaguchi, Bintatsu Noda and Hisashi Kojima of Fujitsu Laboratories Ltd.reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products


MQTT.js
  • MQTT.js 2.x.x prior to 2.15.0

Impact

Receiving a large number of packets from an MQTT broker may result in a denial-of-service (DoS) condition.
Solution

[Update MQTT.js and rebuild the application]
Developers of applications that use MQTT.js should update MQTT.js and re-build the application.
Vendor Information

MQTT.js
CWE (What is CWE?)

  1. Buffer Errors(CWE-119) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2017-10910
References

  1. JVN : JVN#45494523
  2. National Vulnerability Database (NVD) : CVE-2017-10910
Revision History

  • [2017/12/25]
      Web page was published
  • [2018/04/04]
      References : Content was added

Date Public2017/12/25
Date First Published2017/12/25
Date Last Updated2018/04/04