Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Minor - P4
Fix Version/s: 4.7.0, 4.4.2, 4.2.11, 4.0.22
Affects Version/s: None
Component/s: None
Labels:
None

Backwards Compatibility:
Minor Change
Backport Requested:

v4.4, v4.2, v4.0
Sprint:
Security 2020-08-10, Security 2020-08-24, Security 2020-09-07
Case:
Confidence Status:
None
Work Order:
3

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name:
None
Goal Link:
None

Given an unauthed connection to a host that requires authentication, these connections still need to be closed, but when client.disconnect is called on those, disconnect runs the endSession which results in an authorization failure. Although this failure is not logged explicitly, it can still show up in the audit logs. It seems this would require a change to the sessions specification (https://github.com/mongodb/specifications/blob/master/source/sessions/driver-sessions.rst#endsession).

This issue arose in the monitoring module in the mongodb agent because it creates both the unauthed and authed client connections for all new hosts, independent of if the host requires authentication. These failures are showing up in the audit logs and can be concerning for customers from a security perspective.

is duplicated by

SERVER-50211 Getting issue "ACCESS [conn298810] Unauthorized: not authorized on admin to execute command { endSessions: [ { id: UUID("acb7b7b0-5cfd-48d9-ae40-25e20d1ead63") } ], $db: "admin" }"

Closed

Assignee:: Sara Golemon (Inactive)
Reporter:: Julia Ruddy (Inactive)
Participants:: Divjot Arora, Githook User, Julia Ruddy, Sara Golemon, Spencer Jackson
Votes:: 0 Vote for this issue
Watchers:: 9 Start watching this issue

Created:: May 21 2020 05:15:00 PM UTC
Updated:: Jan 08 2024 03:23:02 PM UTC
Resolved:: Aug 25 2020 06:05:49 PM UTC
Confidence Status Last Update:: 18/Aug/20 5:09 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates