Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-49165

endSessions command in Client.Disconnect causes an authorization failure for an unauthed connection on a host that requires authentication

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor - P4
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 4.7.0, 4.4.2, 4.2.11, 4.0.22
    • Component/s: None
    • Labels:
      None
    • Backwards Compatibility:
      Minor Change
    • Backport Requested:
      v4.4, v4.2, v4.0
    • Sprint:
      Security 2020-08-10, Security 2020-08-24, Security 2020-09-07
    • Case:

      Description

      Given an unauthed connection to a host that requires authentication, these connections still need to be closed, but when client.disconnect is called on those, disconnect runs the endSession  which results in an authorization failure. Although this failure is not logged explicitly, it can still show up in the audit logs. It seems this would require a change to the sessions specification (https://github.com/mongodb/specifications/blob/master/source/sessions/driver-sessions.rst#endsession).

      This issue arose in the monitoring module in the mongodb agent because it creates both the unauthed and authed client connections for all new hosts, independent of if the host requires authentication. These failures are showing up in the audit logs and can be concerning for customers from a security perspective. 

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sara.golemon Sara Golemon
              Reporter:
              julia.ruddy Julia Ruddy
              Participants:
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: