Vulnerabilities discovered by Talos
Talos is disclosing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from memory disclosure to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. Aerospike fixed these issues in version 3.11.
The Aerospike Database Server is both a distributed and scalable NoSQL database that is used as a back-end for scalable web applications that need a key-value store. With a focus on performance, it is multi-threaded and retains its indexes entirely in ram with the ability to persist data to a solid-state drive or traditional rotational media.
TALOS-2016-0264 (CVE-2016-9050) – Aerospike Database Server Client Message Memory Disclosure Vulnerability
TALOS-2016-0266 (CVE-2016-9052) – Aerospike Database Server Index Name Code Execution Vulnerability
TALOS-2016-0268 (CVE-2016-9054) – Aerospike Database Server Set Name Code Execution Vulnerability
These 3 vulnerabilities were fixed in Aerospike Server v3.11 released January 5, 2017. Since your blog post is dated January 12, this should have been mentioned in your post.
Indeed, the blog post from Talos that you link to states in the “Coverage” section that “Aerospike version 3.11 addresses these issues”.
Kindly update your blog post accordingly as currently, your incomplete can easily lead one to conclude that these flaws have not been addressed.