CVE-2019-15149 – CVE-2019-15149 is a typo in Mitogen's core.py t... (How to Fix)

📋 TL;DR

CVE-2019-15149 is a typo in Mitogen's core.py that disables unidirectional-routing protection for child processes initiated by other children, potentially allowing unauthorized message routing. This affects Mitogen library users (excluding Ansible extension) who rely on this protection mechanism. The vendor disputes exploitability, noting it requires additional hypothetical bugs.

💻 Affected Systems

Products:

Mitogen

Versions: All versions before 0.2.8

Operating Systems: All platforms running Python

Default Config Vulnerable: ⚠️ Yes

Notes: Ansible extension is NOT affected. Exploitability requires additional hypothetical bugs in message receiver policy.

📦 What is this software?

Mitogen by Networkgenomics

View all CVEs affecting Mitogen →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized process communication leading to privilege escalation, data exfiltration, or remote code execution in multi-process architectures.

🟠

Likely Case

Limited impact due to requirement of additional bugs in message receiver policy; most configurations remain unaffected.

🟢

If Mitigated

No impact if proper message validation and process isolation are implemented independently of this protection.

🌐 Internet-Facing: LOW - Mitogen is typically used in internal automation, not directly internet-exposed.

🏢 Internal Only: MEDIUM - Could affect internal automation systems if combined with other vulnerabilities.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Vendor disputes practical exploitability without additional bugs. No known exploits in wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.8

Vendor Advisory: https://mitogen.networkgenomics.com/changelog.html#v0-2-8-2019-08-18

Restart Required: Yes

Instructions:

1. Update Mitogen to version 0.2.8 or later using pip: pip install mitogen>=0.2.8
2. Restart any services using Mitogen
3. Verify the fix by checking version

🔧 Temporary Workarounds

Disable child-to-child process creation

all

Configure applications to avoid creating child processes from other children where possible

# Application-specific configuration required

🧯 If You Can't Patch

Implement strict message validation and authentication in all process communication
Isolate processes using containerization or virtualization to limit potential impact

🔍 How to Verify

Check if Vulnerable:

Check Mitogen version: python -c "import mitogen; print(mitogen.__version__)" - if version < 0.2.8, vulnerable

Check Version:

python -c "import mitogen; print(mitogen.__version__)"

Verify Fix Applied:

After update, verify version is 0.2.8 or higher using same command

📡 Detection & Monitoring

Log Indicators:

Unexpected process communication patterns
Unauthorized message routing attempts

Network Indicators:

Unusual inter-process communication on localhost

SIEM Query:

Process monitoring for unexpected parent-child relationships in Mitogen-based applications

📊 Metadata

CVE ID: CVE-2019-15149

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-254

Published: August 18, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/dw/mitogen/commit/5924af1566763e48c42028399ea0cd95c457b3dc Patch,Third Party Advisory
https://mitogen.networkgenomics.com/changelog.html#v0-2-8-2019-08-18 Release Notes
https://github.com/dw/mitogen/commit/5924af1566763e48c42028399ea0cd95c457b3dc Patch,Third Party Advisory
https://mitogen.networkgenomics.com/changelog.html#v0-2-8-2019-08-18 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-15149, you might also want to check these: