Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-24378

Authenticating against non-existent database with 2.4 style users should not create database in memory

    • ALL

      Issue Status as of Jun 02, 2016

      ISSUE SUMMARY
      Authenticating against non-existent database that contains 2.4-style users creates database in memory.

      This bug has been assigned CVE-2016-3104.

      USER IMPACT
      In-memory representation of databases increases memory consumption in mongod. In very extreme cases this increase in memory consumption may cause mongod to run out of memory and either terminate or be terminated by the operating system’s OOM killer.

      AFFECTED VERSIONS
      This issue only affects the following MongoDB versions when running with authentication under the following conditions:

      • MongoDB version 2.4
      • MongoDB version 2.6 when running with 2.4-style users

      To find out if your deployment has 2.4-style users please see the documentation on auth schemas.

      Neither MongoDB 2.6 with 2.6-style users, nor MongoDB 3.0 and newer are affected by this issue.

      WORKAROUNDS AND REMEDIATION
      There’s no workaround for this issue in MongoDB 2.4. Users affected by this issue should consider upgrading to a newer version.

      MongoDB 2.6 users affected by this issue should complete the 2.6 upgrade process and upgrade their authorization schema.

      For more information on remediation please see the Security Manual and the Security Checklist.

            Assignee:
            Unassigned Unassigned
            Reporter:
            ramon.fernandez@mongodb.com Ramon Fernandez Marina
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: