Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-4216

[SECURITY] mongodb 10gen debian package listens on all interfaces by default

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical - P2
    • Resolution: Fixed
    • None
    • 2.6.0-rc0
    • Packaging, Security
    • None
    • Debian Testing
    • Fully Compatible
    • Linux
    • Security [00-02-20-15]

    Description

      The default install of mongodb from the repo:
      http://downloads-distro.mongodb.org/repo/debian-sysvinit

      Does not have a "bind_ip 127.0.0.1" option set in the mongodb.conf. This leaves a users server vulnerable if they are not aware of this setting. The default should be to lockdown as much as possible and only expose if the user requests it.

      Attachments

        Issue Links

          Activity

            People

              andreas.nilsson Andreas Nilsson
              shtylman Roman Shtylman
              Votes:
              2 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: