Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-4216

[SECURITY] mongodb 10gen debian package listens on all interfaces by default

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical - P2
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2.6.0-rc0
    • Component/s: Packaging, Security
    • Labels:
      None
    • Environment:
      Debian Testing
    • Backwards Compatibility:
      Fully Compatible
    • Operating System:
      Linux
    • Sprint:
      Security [00-02-20-15]

      Description

      The default install of mongodb from the repo:
      http://downloads-distro.mongodb.org/repo/debian-sysvinit

      Does not have a "bind_ip 127.0.0.1" option set in the mongodb.conf. This leaves a users server vulnerable if they are not aware of this setting. The default should be to lockdown as much as possible and only expose if the user requests it.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              andreas.nilsson Andreas Nilsson
              Reporter:
              shtylman Roman Shtylman
              Participants:
              Votes:
              2 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: