Cisco Blogs

Vulnerability Spotlight: Exploiting the Aerospike Database Server

January 12, 2017 - 1 Comment

Vulnerabilities discovered by Talos

Talos is disclosing multiple vulnerabilities discovered in the Aerospike Database Server. These vulnerabilities range from memory disclosure to potential remote code execution. This software is used by various companies that require a high performance NoSQL database. Aerospike fixed these issues in  version 3.11.

The Aerospike Database Server is both a distributed and scalable NoSQL database that is used as a back-end for scalable web applications that need a key-value store. With a focus on performance, it is multi-threaded and retains its indexes entirely in ram with the ability to persist data to a solid-state drive or traditional rotational media. 

TALOS-2016-0264 (CVE-2016-9050) – Aerospike Database Server Client Message Memory Disclosure Vulnerability

TALOS-2016-0266 (CVE-2016-9052) – Aerospike Database Server Index Name Code Execution Vulnerability

TALOS-2016-0268 (CVE-2016-9054) – Aerospike Database Server Set Name Code Execution Vulnerability



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. These 3 vulnerabilities were fixed in Aerospike Server v3.11 released January 5, 2017. Since your blog post is dated January 12, this should have been mentioned in your post.

    Indeed, the blog post from Talos that you link to states in the “Coverage” section that “Aerospike version 3.11 addresses these issues”.

    Kindly update your blog post accordingly as currently, your incomplete can easily lead one to conclude that these flaws have not been addressed.