Authenticating against non-existent database that contains 2.4-style users creates database in memory.
This bug has been assigned CVE-2016-3104.
In-memory representation of databases increases memory consumption in mongod. In very extreme cases this increase in memory consumption may cause mongod to run out of memory and either terminate or be terminated by the operating system’s OOM killer.
This issue only affects the following MongoDB versions when running with authentication under the following conditions:
- MongoDB version 2.4
- MongoDB version 2.6 when running with 2.4-style users
To find out if your deployment has 2.4-style users please see the documentation on auth schemas.
Neither MongoDB 2.6 with 2.6-style users, nor MongoDB 3.0 and newer are affected by this issue.
WORKAROUNDS AND REMEDIATION
There’s no workaround for this issue in MongoDB 2.4. Users affected by this issue should consider upgrading to a newer version.
MongoDB 2.6 users affected by this issue should complete the 2.6 upgrade process and upgrade their authorization schema.
For more information on remediation please see the Security Manual and the Security Checklist.