Tested versions include Tarantool 1.7.2-0-g8e92715 and Msgpuck 1.0.3
Tested versions include Tarantool 1.7.2-0-g8e92715 and Msgpuck 1.0.3

Cisco Talos researchers spotted two denial of service vulnerabilities in the Tarantool open-source Lua-based application server.

The first vulnerability, CVE-2016-9036, deals with the product's Msgpuck library and could be exploited to cause a denial of service condition if a specially crafted packet which causes the ‘mp_check' function to incorrectly return success when trying to check if decoding a map16 packet will read outside the bounds of a buffer, according a the Dec. 20 blog post.

 The second bug, CVE-2016-9037, can cause denial of service conditions on the server if an attacker sends a specially crafted packet designed to cause the ‘xrow_header_decode' function to access an out-of-bounds memory location, the blog said.

Researchers tested versions Tarantool version 1.7.2-0-g8e92715 and Msgpuck version 1.0.3. Tarantool is used by various service providers such as Mail.RU, and Badoo.

Snort Rules 41080-41082 will detect exploitation attempts, according to the post.