Uploaded image for project: 'Core Server'
  1. Core Server
  2. SERVER-49165

endSessions command in Client.Disconnect causes an authorization failure for an unauthed connection on a host that requires authentication

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Minor - P4 Minor - P4
    • 4.7.0, 4.4.2, 4.2.11, 4.0.22
    • Affects Version/s: None
    • Component/s: None
    • Labels:
    • Minor Change
    • v4.4, v4.2, v4.0
    • Security 2020-08-10, Security 2020-08-24, Security 2020-09-07

      Given an unauthed connection to a host that requires authentication, these connections still need to be closed, but when client.disconnect is called on those, disconnect runs the endSession  which results in an authorization failure. Although this failure is not logged explicitly, it can still show up in the audit logs. It seems this would require a change to the sessions specification (https://github.com/mongodb/specifications/blob/master/source/sessions/driver-sessions.rst#endsession).

      This issue arose in the monitoring module in the mongodb agent because it creates both the unauthed and authed client connections for all new hosts, independent of if the host requires authentication. These failures are showing up in the audit logs and can be concerning for customers from a security perspective. 

            sara.golemon@mongodb.com Sara Golemon
            julia.ruddy@mongodb.com Julia Ruddy (Inactive)
            0 Vote for this issue
            9 Start watching this issue