Configuration Reload Issue in Eclipse Mosquitto by Eclipse Foundation
CVE-2017-7652

7.5HIGH

Key Information:

Vendor: The Eclipse Foundation
Status: Eclipse Mosquitto
Vendor: CVE Published:; 25 April 2018

What is CVE-2017-7652?

In Eclipse Mosquitto version 1.4.14, when running with a specific configuration file, sending a HUP signal to the server initiates a reload of the configuration from disk. If the server is heavily utilized with numerous clients connected, it may exhaust the available file descriptors (typically capped at 1024 on Linux systems). As a result, attempts to open the configuration file can fail, potentially disrupting server operations and affecting connectivity for the clients.

Affected Version(s)

Eclipse Mosquitto 1.4.14

References

https://lists.debian.org/debian-lts-announce/2018/03/msg0...

mailing-listx_refsource_MLIST

https://mosquitto.org/blog/2018/02/security-advisory-cve-...

x_refsource_CONFIRM

https://lists.debian.org/debian-lts-announce/2018/06/msg0...

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 25, 2018
Vulnerability Reserved
Apr 11, 2017

The Eclipse Foundation

What is CVE-2017-7652?

Affected Version(s)

References

CVSS V3.1

Timeline