home shape

Security Alert # 2: VelocyPack Buffer Overflow

large right background img

Issue Description

The VelocyPack implementation used in ArangoDB can trigger a buffer overflow. In order to exploit this, an attacker needs access to the database port. As a buffer overflow results in undefined behavior the attacker might crash the database server or gain illegal access to data stored in the database.

 

It is therefore important to upgrade ArangoDB as soon as possible.

Issue Resolution

Please upgrade to at least:

  • v3.2.18
  • v3.3.22
  • v3.4.2-1

These versions contain an updated version of the VelocyPack library, which protects against the buffer overflow.

In order to check the version you are using, you can issue a

/usr/sbin/arangod --version | head -1

If you are using a docker container, you can check that your container has been updated by running

docker run -it arangodb/arangodb env arangod --version | head -1

Additional Questions

In case of any questions, please contact us. ArangoDB Customers can open a support ticket in our Support Platform.