CVE-2020-15166

Name of the Vulnerable Software and Affected Versions ZeroMQ versions prior to 4.3.3

Description The issue is related to an error in the resource control mechanism of ZeroMQ, a messaging system component. This allows a remote attacker to cause a denial-of-service. Users with TCP transport public endpoints, even with CURVE/ZAP enabled, are impacted. If a raw TCP socket is opened and connected to an endpoint that is fully configured with CURVE/ZAP, legitimate clients will not be able to exchange any messages. Handshakes complete successfully, and messages are delivered to the library, but the server application never receives them.

Recommendations For ZeroMQ versions prior to 4.3.3, update to version 4.3.3 to resolve the issue. As a temporary workaround, consider restricting access to TCP transport public endpoints to minimize the risk of exploitation. Avoid using raw TCP sockets connected to endpoints fully configured with CURVE/ZAP until the issue is resolved.