Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-20691

Vulnerability in LDAP authentication

    • Fully Compatible
    • ALL
    • Security A 10/09/15

      Issue Status as of Dec 02, 2015

      ISSUE SUMMARY
      A vulnerability in MongoDB Enterprise 3.0.0 through 3.0.6 may allow a user to gain unauthorized access to a MongoDB instance or cluster. Only deployments using LDAP authentication are affected by this vulnerability.

      This vulnerability has been assigned CVE-2015-7882.

      To determine if your deployment is affected, run the following command on any node in your cluster:

      db.adminCommand({getParameter: 1, authenticationMechanisms: 1})
      

      If the output contains the word “PLAIN” then your installation is vulnerable. The following example shows the output of the above command in a vulnerable installation:

      > db.adminCommand({getParameter: 1, authenticationMechanisms: 1})
      { "authenticationMechanisms" : [ "PLAIN" ], "ok" : 1 }
      

      USER IMPACT
      It is possible to gain unauthorized access to an instance or cluster running an affected version of MongoDB Enterprise with LDAP authentication enabled. The Community edition of MongoDB is not affected by this vulnerability.

      WORKAROUNDS
      There are no workarounds for this issue. Impacted users must upgrade to MongoDB 3.0.7 as soon as possible.

      AFFECTED VERSIONS
      MongoDB Enterprise 3.0.0 through 3.0.6 (inclusive).

      FIX VERSION
      The fix is included in the 3.0.7 production release.

            Assignee:
            spencer.jackson@mongodb.com Spencer Jackson
            Reporter:
            spencer.jackson@mongodb.com Spencer Jackson
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: