Configuration Reload Issue in Eclipse Mosquitto by Eclipse Foundation
CVE-2017-7652

7.5HIGH

Key Information:

Vendor

The Eclipse Foundation

Status
Eclipse Mosquitto
Vendor
CVE Published:
25 April 2018

What is CVE-2017-7652?

In Eclipse Mosquitto version 1.4.14, when running with a specific configuration file, sending a HUP signal to the server initiates a reload of the configuration from disk. If the server is heavily utilized with numerous clients connected, it may exhaust the available file descriptors (typically capped at 1024 on Linux systems). As a result, attempts to open the configuration file can fail, potentially disrupting server operations and affecting connectivity for the clients.

Affected Version(s)

Eclipse Mosquitto 1.4.14

References

https://lists.debian.org/debian-lts-announce/2018/03/msg0...
mailing-listx_refsource_MLIST
https://mosquitto.org/blog/2018/02/security-advisory-cve-...
x_refsource_CONFIRM
https://lists.debian.org/debian-lts-announce/2018/06/msg0...
mailing-listx_refsource_MLIST

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.