[DOCS-15079] Document the security non-implications of md5 usage in SCRAM-SHA-1 - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Task
Status: Closed
Priority: Major - P3
Resolution: Done
Affects Version/s: None
Fix Version/s: 4.2.0, 4.4.0, 5.0.0, 5.2.0, 5.3.0
Component/s: manual, Server
Labels:
None

Story Points:
3
Epic Link:
DOCS: Server Bugfix Backlog
Sprint:
ServerDocs2022: Feb8 - Feb15

Description

We often get tickets like SECURITY-769 or ~~CSHARP-3729~~ (and similar tickets in other driver projects) where a user complains that their security scanner told them we use md5 and therefore our software has a security vulnerability or that they tried to use SCRAM-SHA-1 in a FIPS140-2 environment and failed because FIPS enforcement breaks md5 methods. The following docs pages must be updated to mention the usage of md5 in SCRAM-SHA-1, that md5 is necessary but not used in a cryptographic context and that FIPS users should use SCRAM-SHA-256, Kerberos, LDAP, x509, etc. in place of SCRAM-SHA-1.

https://docs.mongodb.com/upcoming/core/security-scram/
https://docs.mongodb.com/manual/tutorial/configure-fips/

Attachments

Activity

People

Assignee:: Jason Price

Reporter:: Bernie Hackett

Participants:: Bernie Hackett, Githook User, James Kovacs, Jason Price

Last commenter:: Jess Mokrzecki

External Reviewer:: Bernie Hackett

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: Feb 01 2022 09:01:07 PM UTC

Updated:: Feb 15 2022 07:51:36 PM UTC

Resolved:: Feb 15 2022 07:27:13 PM UTC

Days since reply:: 1 year, 31 weeks, 2 days ago

Date of 1st Reply:: 01/Feb/22 9:11 PM