Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-24378

Authenticating against non-existent database with 2.4 style users should not create database in memory

    XMLWordPrintable

    Details

    • Operating System:
      ALL

      Description

      Issue Status as of Jun 02, 2016

      ISSUE SUMMARY
      Authenticating against non-existent database that contains 2.4-style users creates database in memory.

      This bug has been assigned CVE-2016-3104.

      USER IMPACT
      In-memory representation of databases increases memory consumption in mongod. In very extreme cases this increase in memory consumption may cause mongod to run out of memory and either terminate or be terminated by the operating system’s OOM killer.

      AFFECTED VERSIONS
      This issue only affects the following MongoDB versions when running with authentication under the following conditions:

      • MongoDB version 2.4
      • MongoDB version 2.6 when running with 2.4-style users

      To find out if your deployment has 2.4-style users please see the documentation on auth schemas.

      Neither MongoDB 2.6 with 2.6-style users, nor MongoDB 3.0 and newer are affected by this issue.

      WORKAROUNDS AND REMEDIATION
      There’s no workaround for this issue in MongoDB 2.4. Users affected by this issue should consider upgrading to a newer version.

      MongoDB 2.6 users affected by this issue should complete the 2.6 upgrade process and upgrade their authorization schema.

      For more information on remediation please see the Security Manual and the Security Checklist.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ramon.fernandez Ramon Fernandez
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: