Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-4216

[SECURITY] mongodb 10gen debian package listens on all interfaces by default

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.6.0-rc0
    • Component/s: Packaging, Security
    • Labels:
      None
    • Environment:
      Debian Testing
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      Linux
    • Sprint:
      Security [00-02-20-15]

      Description

      The default install of mongodb from the repo:
      http://downloads-distro.mongodb.org/repo/debian-sysvinit

      Does not have a "bind_ip 127.0.0.1" option set in the mongodb.conf. This leaves a users server vulnerable if they are not aware of this setting. The default should be to lockdown as much as possible and only expose if the user requests it.

        Issue Links

          Activity

          Hide
          eliot Eliot Horowitz added a comment -

          This will break current deployments - so will need to be heavily documented and easy to debug.

          Show
          eliot Eliot Horowitz added a comment - This will break current deployments - so will need to be heavily documented and easy to debug.
          Hide
          shtylman Roman Shtylman added a comment -

          I agree, but I think it is very important that an updated packages get out there asap. Since mongodb ships with no auth by default this leaves many people completely vulnerable without realizing it.

          Show
          shtylman Roman Shtylman added a comment - I agree, but I think it is very important that an updated packages get out there asap. Since mongodb ships with no auth by default this leaves many people completely vulnerable without realizing it.
          Hide
          andreas.nilsson Andreas Nilsson (Inactive) added a comment -

          Binding to localhost on Debian by default

          Show
          andreas.nilsson Andreas Nilsson (Inactive) added a comment - Binding to localhost on Debian by default

            People

            • Votes:
              2 Vote for this issue
              Watchers:
              11 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                  Agile