Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-49165

endSessions command in Client.Disconnect causes an authorization failure for an unauthed connection on a host that requires authentication

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Minor - P4
    • Resolution: Fixed
    • None
    • 4.7.0, 4.4.2, 4.2.11, 4.0.22
    • None
    • None
    • Minor Change
    • v4.4, v4.2, v4.0
    • Security 2020-08-10, Security 2020-08-24, Security 2020-09-07

    Description

      Given an unauthed connection to a host that requires authentication, these connections still need to be closed, but when client.disconnect is called on those, disconnect runs the endSession  which results in an authorization failure. Although this failure is not logged explicitly, it can still show up in the audit logs. It seems this would require a change to the sessions specification (https://github.com/mongodb/specifications/blob/master/source/sessions/driver-sessions.rst#endsession).

      This issue arose in the monitoring module in the mongodb agent because it creates both the unauthed and authed client connections for all new hosts, independent of if the host requires authentication. These failures are showing up in the audit logs and can be concerning for customers from a security perspective. 

      Attachments

        Issue Links

          Activity

            People

              sara.golemon@mongodb.com Sara Golemon
              julia.ruddy@mongodb.com Julia Ruddy
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: