Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-4216

[SECURITY] mongodb 10gen debian package listens on all interfaces by default

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.6.0-rc0
    • Component/s: Packaging, Security
    • Labels:
      None
    • Environment:
      Debian Testing
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      Linux
    • Sprint:
      Security [00-02-20-15]

      Description

      The default install of mongodb from the repo:
      http://downloads-distro.mongodb.org/repo/debian-sysvinit

      Does not have a "bind_ip 127.0.0.1" option set in the mongodb.conf. This leaves a users server vulnerable if they are not aware of this setting. The default should be to lockdown as much as possible and only expose if the user requests it.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                2 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: