[DOCS-15079] Document the security non-implications of md5 usage in SCRAM-SHA-1 Created: 01/Feb/22  Updated: 13/Nov/23  Resolved: 15/Feb/22

Status: Closed
Project: Documentation
Component/s: manual, Server
Affects Version/s: None
Fix Version/s: 4.2.0, 4.4.0, 5.0.0, 5.2.0, 5.3.0, Server_Docs_20231030, Server_Docs_20231106, Server_Docs_20231105, Server_Docs_20231113

Type: Task Priority: Major - P3
Reporter: Bernie Hackett Assignee: Jason Price
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
Participants:
Days since reply: 1 year, 51 weeks, 1 day ago
Epic Link: DOCSP-11701
Story Points: 3

 Description   

We often get tickets like SECURITY-769 or CSHARP-3729 (and similar tickets in other driver projects) where a user complains that their security scanner told them we use md5 and therefore our software has a security vulnerability or that they tried to use SCRAM-SHA-1 in a FIPS140-2 environment and failed because FIPS enforcement breaks md5 methods. The following docs pages must be updated to mention the usage of md5 in SCRAM-SHA-1, that md5 is necessary but not used in a cryptographic context and that FIPS users should use SCRAM-SHA-256, Kerberos, LDAP, x509, etc. in place of SCRAM-SHA-1.

https://docs.mongodb.com/upcoming/core/security-scram/
https://docs.mongodb.com/manual/tutorial/configure-fips/



 Comments   
Comment by Githook User [ 15/Feb/22 ]

Author:

{'name': 'jason-price-mongodb', 'email': '69260375+jason-price-mongodb@users.noreply.github.com', 'username': 'jason-price-mongodb'}

Message: DOCS-15079-md5-usage-in-SCRAM-SHA-1 (#640)

Co-authored-by: jason-price-mongodb <jshfjghsdfgjsdjh@aolsdjfhkjsdhfkjsdf.com>
Branch: v5.2
https://github.com/10gen/docs-mongodb-internal/commit/54966245ef4dab2f2c2a72cb6200d3505e49ff39

Comment by Githook User [ 15/Feb/22 ]

Author:

{'name': 'jason-price-mongodb', 'email': '69260375+jason-price-mongodb@users.noreply.github.com', 'username': 'jason-price-mongodb'}

Message: Docs 15079 md5 usage in scram sha 1 (#612) (#639)

Co-authored-by: jason-price-mongodb <jshfjghsdfgjsdjh@aolsdjfhkjsdhfkjsdf.com>

Co-authored-by: jason-price-mongodb <jshfjghsdfgjsdjh@aolsdjfhkjsdhfkjsdf.com>
Branch: v5.2
https://github.com/10gen/docs-mongodb-internal/commit/e6075d311eb8e6fb8567e5c58d13279e8308d439

Comment by Githook User [ 15/Feb/22 ]

Author:

{'name': 'jason-price-mongodb', 'email': '69260375+jason-price-mongodb@users.noreply.github.com', 'username': 'jason-price-mongodb'}

Message: DOCS-15079 md5 usage in scram sha 1 (#638)

  • Docs 15079 md5 usage in scram sha 1 (#612)

Co-authored-by: jason-price-mongodb <jshfjghsdfgjsdjh@aolsdjfhkjsdhfkjsdf.com>

Co-authored-by: jason-price-mongodb <jshfjghsdfgjsdjh@aolsdjfhkjsdhfkjsdf.com>
Branch: v5.0
https://github.com/10gen/docs-mongodb-internal/commit/a2b80f3609be228efadb2851d1e9445f10a16e1e

Comment by Githook User [ 15/Feb/22 ]

Author:

{'name': 'jason-price-mongodb', 'email': '69260375+jason-price-mongodb@users.noreply.github.com', 'username': 'jason-price-mongodb'}

Message: DOCS-15079 md5 usage in scram sha 1 (#637)

  • Docs 15079 md5 usage in scram sha 1 (#612)

Co-authored-by: jason-price-mongodb <jshfjghsdfgjsdjh@aolsdjfhkjsdhfkjsdf.com>

Co-authored-by: jason-price-mongodb <jshfjghsdfgjsdjh@aolsdjfhkjsdhfkjsdf.com>
Branch: v4.4
https://github.com/10gen/docs-mongodb-internal/commit/cbcc012841161a52729a2e88cbfd160ce38a1800

Comment by Githook User [ 12/Feb/22 ]

Author:

{'name': 'jason-price-mongodb', 'email': '69260375+jason-price-mongodb@users.noreply.github.com', 'username': 'jason-price-mongodb'}

Message: Docs 15079 md5 usage in scram sha 1 (#626)

  • Docs 15079 md5 usage in scram sha 1 (#612)

Co-authored-by: jason-price-mongodb <jshfjghsdfgjsdjh@aolsdjfhkjsdhfkjsdf.com>

Co-authored-by: jason-price-mongodb <jshfjghsdfgjsdjh@aolsdjfhkjsdhfkjsdf.com>
Branch: v4.2
https://github.com/10gen/docs-mongodb-internal/commit/cf9ca6c0e18d04df9a2ecbd26486530df8798134

Comment by Githook User [ 12/Feb/22 ]

Author:

{'name': 'jason-price-mongodb', 'email': '69260375+jason-price-mongodb@users.noreply.github.com', 'username': 'jason-price-mongodb'}

Message: Docs 15079 md5 usage in scram sha 1 (#612)

Co-authored-by: jason-price-mongodb <jshfjghsdfgjsdjh@aolsdjfhkjsdhfkjsdf.com>
Branch: master
https://github.com/10gen/docs-mongodb-internal/commit/4b9304db21cee73be5b144a121902226848badfc

Comment by James Kovacs [ 01/Feb/22 ]

GridFS optionally uses MD5 hashes for stored files and we have a note in our docs that this is deprecated:
https://docs.mongodb.com/manual/core/gridfs/#mongodb-data-files.md5

Generated at Thu Feb 08 08:11:57 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.