Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-13644

Sensitive credentials in startup options are not redacted and may be exposed

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Fixed
    • Affects Version/s: 2.6.0
    • Fix Version/s: 2.6.1, 2.7.0
    • Component/s: Logging, Security
    • Labels:
      None
    • Operating System:
      ALL
    • Backport Completed:

      Description

      Issue Status as of April 22, 2014

      ISSUE SUMMARY
      Version 2.6.0 does not correctly redact the following startup options passed into mongod: the PEMKeyPassword, clusterPassword and Windows servicePassword. If these credentials are provided in the config file, they may be disclosed in the log file and via the getCmdLineOpts command. If the credentials are provided as command line options to mongod, the clusterPassword may additionally be disclosed via the system's process table.

      USER IMPACT
      Potential security risk as users with local access may be able to get access to credentials inappropriately.

      WORKAROUNDS
      As a work-around, we recommend to follow these security guidelines:

      • make the log file readable only by the database user
      • use a config file to pass the options to avoid the process listing
      • limit access to the admin database appropriately
      • (only if the HTTP interface is enabled, which is off by default) restrict access to HTTP interface appropriately

      RESOLUTION
      The patch correctly redacts the credentials.

      AFFECTED VERSIONS
      Version 2.6.0 was affected by this bug.

      PATCHES
      The patch is included in the 2.6.1 production release.

        Activity

        Hide
        xgen-internal-githook Githook User added a comment -

        Author:

        {u'name': u'Shaun Verch', u'email': u'shaun.verch@mongodb.com'}

        Message: SERVER-13644 Fix command line censorship
        Branch: master
        https://github.com/mongodb/mongo/commit/44da20890f6af02ba766ca14991bbb072395a7ef

        Show
        xgen-internal-githook Githook User added a comment - Author: {u'name': u'Shaun Verch', u'email': u'shaun.verch@mongodb.com'} Message: SERVER-13644 Fix command line censorship Branch: master https://github.com/mongodb/mongo/commit/44da20890f6af02ba766ca14991bbb072395a7ef
        Hide
        xgen-internal-githook Githook User added a comment -

        Author:

        {u'name': u'Shaun Verch', u'email': u'shaun.verch@mongodb.com'}

        Message: SERVER-13644 Fix command line censorship
        (cherry picked from commit 44da20890f6af02ba766ca14991bbb072395a7ef)
        Branch: v2.6
        https://github.com/mongodb/mongo/commit/791fcf4495b08bd8c108f3275ba4e489b4928537

        Show
        xgen-internal-githook Githook User added a comment - Author: {u'name': u'Shaun Verch', u'email': u'shaun.verch@mongodb.com'} Message: SERVER-13644 Fix command line censorship (cherry picked from commit 44da20890f6af02ba766ca14991bbb072395a7ef) Branch: v2.6 https://github.com/mongodb/mongo/commit/791fcf4495b08bd8c108f3275ba4e489b4928537
        Hide
        xgen-internal-githook Githook User added a comment -

        Author:

        {u'name': u'Shaun Verch', u'email': u'shaun.verch@mongodb.com'}

        Message: Revert "SERVER-13644 Fix command line censorship"

        This reverts commit 44da20890f6af02ba766ca14991bbb072395a7ef.
        Branch: master
        https://github.com/mongodb/mongo/commit/65213714da82cf43ba5f54d34d1c6a2923d4a0bf

        Show
        xgen-internal-githook Githook User added a comment - Author: {u'name': u'Shaun Verch', u'email': u'shaun.verch@mongodb.com'} Message: Revert " SERVER-13644 Fix command line censorship" This reverts commit 44da20890f6af02ba766ca14991bbb072395a7ef. Branch: master https://github.com/mongodb/mongo/commit/65213714da82cf43ba5f54d34d1c6a2923d4a0bf
        Hide
        xgen-internal-githook Githook User added a comment -

        Author:

        {u'name': u'Shaun Verch', u'email': u'shaun.verch@mongodb.com'}

        Message: Revert "SERVER-13644 Fix command line censorship"

        This reverts commit 44da20890f6af02ba766ca14991bbb072395a7ef.
        (cherry picked from commit 65213714da82cf43ba5f54d34d1c6a2923d4a0bf)
        Branch: v2.6
        https://github.com/mongodb/mongo/commit/e83de252bac4f30b7a02bc08c6bc2e14c0f187bb

        Show
        xgen-internal-githook Githook User added a comment - Author: {u'name': u'Shaun Verch', u'email': u'shaun.verch@mongodb.com'} Message: Revert " SERVER-13644 Fix command line censorship" This reverts commit 44da20890f6af02ba766ca14991bbb072395a7ef. (cherry picked from commit 65213714da82cf43ba5f54d34d1c6a2923d4a0bf) Branch: v2.6 https://github.com/mongodb/mongo/commit/e83de252bac4f30b7a02bc08c6bc2e14c0f187bb
        Hide
        xgen-internal-githook Githook User added a comment -

        Author:

        {u'name': u'Shaun Verch', u'email': u'shaun.verch@mongodb.com'}

        Message: SERVER-13644 Fix command line censorship
        Branch: master
        https://github.com/mongodb/mongo/commit/b1d30046c769ed625faf301c8b62186c4aeee86e

        Show
        xgen-internal-githook Githook User added a comment - Author: {u'name': u'Shaun Verch', u'email': u'shaun.verch@mongodb.com'} Message: SERVER-13644 Fix command line censorship Branch: master https://github.com/mongodb/mongo/commit/b1d30046c769ed625faf301c8b62186c4aeee86e
        Hide
        xgen-internal-githook Githook User added a comment -

        Author:

        {u'name': u'Shaun Verch', u'email': u'shaun.verch@mongodb.com'}

        Message: SERVER-13644 Fix command line censorship
        (cherry picked from commit b1d30046c769ed625faf301c8b62186c4aeee86e)
        Branch: v2.6
        https://github.com/mongodb/mongo/commit/52faaa32ef9226cf6583e82d97caa40c46dade80

        Show
        xgen-internal-githook Githook User added a comment - Author: {u'name': u'Shaun Verch', u'email': u'shaun.verch@mongodb.com'} Message: SERVER-13644 Fix command line censorship (cherry picked from commit b1d30046c769ed625faf301c8b62186c4aeee86e) Branch: v2.6 https://github.com/mongodb/mongo/commit/52faaa32ef9226cf6583e82d97caa40c46dade80

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:
              Days since reply:
              1 year, 19 weeks ago
              Date of 1st Reply: