-
Type:
Bug
-
Resolution: Fixed
-
Priority:
Major - P3
-
Affects Version/s: 6.0.0, 7.0.0, 8.1.0-rc0, 8.0.0, 8.2.0-rc0
-
Component/s: None
-
None
-
Query Execution
-
Fully Compatible
-
ALL
-
v8.1, v8.0, v7.0, v6.0
-
QE 2025-05-12, QE 2025-05-26, QE 2025-06-09, QE 2025-06-23, QE 2025-07-07, QE 2025-07-21
-
None
-
None
-
None
-
None
-
None
-
None
-
None
The killCursors and releaseMemory authorization checks have potential for a "time-of-check to time-of-use" race allowing a malicious user to intentionally kill cursors from other users:
In the authorization check for both commands, if the cursor does not exist, it will let the command continue running, expecting that when the command tries to kill the cursor, it will find again that it still does not exist, and fail.
However, it may happen that the cursor is allocated right after the auth check. The chance that this succeeds is not random because cursor IDs are predictable: They are allocated using a non-cryptographically secure pseudo-random number generator, which is shared.
In a multi-user/multi-tenant environment, a malicious user may be able to reconstruct the state of the PRNG from observed cursor IDs, use it to guess the next cursor IDs to be allocated by other users, then attempt to kill them, which will occasionally succeed, when the cursor gets allocated right after the auth check.
- related to
-
SERVER-107614 Investigate pipeline dependency in client_cursor
-
- Closed
-