-
Type: Bug
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: Internal Code
-
Fully Compatible
-
ALL
-
Security A 10/09/15
ISSUE SUMMARY
A vulnerability in MongoDB Enterprise 3.0.0 through 3.0.6 may allow a user to gain unauthorized access to a MongoDB instance or cluster. Only deployments using LDAP authentication are affected by this vulnerability.
This vulnerability has been assigned CVE-2015-7882.
To determine if your deployment is affected, run the following command on any node in your cluster:
db.adminCommand({getParameter: 1, authenticationMechanisms: 1})
If the output contains the word “PLAIN” then your installation is vulnerable. The following example shows the output of the above command in a vulnerable installation:
> db.adminCommand({getParameter: 1, authenticationMechanisms: 1}) { "authenticationMechanisms" : [ "PLAIN" ], "ok" : 1 }
USER IMPACT
It is possible to gain unauthorized access to an instance or cluster running an affected version of MongoDB Enterprise with LDAP authentication enabled. The Community edition of MongoDB is not affected by this vulnerability.
WORKAROUNDS
There are no workarounds for this issue. Impacted users must upgrade to MongoDB 3.0.7 as soon as possible.
AFFECTED VERSIONS
MongoDB Enterprise 3.0.0 through 3.0.6 (inclusive).
FIX VERSION
The fix is included in the 3.0.7 production release.