Loading...

XML

Word

Printable

JSON

Type: Task
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 8.3.0-rc0, 8.2.4, 8.0.18, 7.0.29
Affects Version/s: None
Component/s: None
Labels:
None

Assigned Teams:

Catalog and Routing
Backwards Compatibility:
Fully Compatible
Backport Requested:

v8.2, v8.0, v7.0
Sprint:
CAR Team 2025-12-22
Story Points:
1
CAR Domain/s:

🟦 Shard Catalog

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

Currently we expose ResourceId values in various places:

Via the lockInfo command
Via logging
Via error messages

If an attacker were to know the value for a given input then they could derive the random secret key we use in order to generate ResourceIds and perform the same attack as ~~SERVER-114838~~.

We should limit it such that it is only ever exposed in high permission settings such as the first two while limiting the last one.

is related to

SERVER-114838 Lock Manager is susceptible to an adversarial DDOS attack

Closed

Assignee:: Jordi Olivares Provencio
Reporter:: Jordi Olivares Provencio
Participants:: Githook User, Jordi Olivares Provencio
Votes:: 0 Vote for this issue
Watchers:: 4 Start watching this issue

Created:: Dec 11 2025 10:57:53 AM UTC
Updated:: Feb 10 2026 07:39:59 PM UTC
Resolved:: Dec 12 2025 02:06:08 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates