endSessions command in Client.Disconnect causes an authorization failure for an unauthed connection on a host that requires authentication

XMLWordPrintableJSON

    • Type: Bug
    • Resolution: Fixed
    • Priority: Minor - P4
    • 4.7.0, 4.4.2, 4.2.11, 4.0.22
    • Affects Version/s: None
    • Component/s: None
    • None
    • Minor Change
    • v4.4, v4.2, v4.0
    • Security 2020-08-10, Security 2020-08-24, Security 2020-09-07
    • None
    • 3
    • None
    • None
    • None
    • None
    • None
    • None

      Given an unauthed connection to a host that requires authentication, these connections still need to be closed, but when client.disconnect is called on those, disconnect runs the endSession  which results in an authorization failure. Although this failure is not logged explicitly, it can still show up in the audit logs. It seems this would require a change to the sessions specification (https://github.com/mongodb/specifications/blob/master/source/sessions/driver-sessions.rst#endsession).

      This issue arose in the monitoring module in the mongodb agent because it creates both the unauthed and authed client connections for all new hosts, independent of if the host requires authentication. These failures are showing up in the audit logs and can be concerning for customers from a security perspective. 

            Assignee:
            Sara Golemon (Inactive)
            Reporter:
            Julia Ruddy (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: