[JAVA-4017] Fix CVE-2021-20328 Created: 17/Feb/21  Updated: 28/Oct/23  Resolved: 18/Feb/21

Status: Closed
Project: Java Driver
Component/s: Client Side Encryption
Affects Version/s: None
Fix Version/s: 3.11.3, 3.12.8, 4.0.6, 4.1.2, 4.2.1

Type: Bug Priority: Major - P3
Reporter: Jeffrey Yemin Assignee: Jeffrey Yemin
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends

 Description   

Fix CVE-2021-20328

CVE ID: CVE-2021-20328

Title: MongoDB Java driver client-side field level encryption not verifying KMS host name

Description: Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.

CVSS Score: 6.4 

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Exact affected versions:

  • mongo-java-driver, mongodb-driver, mongodb-driver-sync, mongodb-driver-legacy: 3.11.0 - 3.11.2, 3.12.0 - 3.12.7
  • mongodb-driver-sync, mongodb-driver-legacy: 4.0.0 - 4.0.5, 4.1.0 - 4.1.1, 4.2.0

Is fixed version available: Yes.  Fixed versions:

  • mongo-java-driver, mongodb-driver, mongodb-driver-sync, mongodb-driver-legacy: 3.11.3, 3.12.8.
  • mongodb-driver-sync, mongodb-driver-legacy: 4.0.6, 4.1.2, 4.2.1

Underlying operating systems affected: All

How the issue was discovered: Internally



 Comments   
Comment by Jeffrey Yemin [ 18/Feb/21 ]

Author:

{'name': 'jyemin', 'email': 'jeff.yemin@mongodb.com', 'username': 'jyemin'}

Message: Fix CVE-2021-20328

JAVA-4017
Branch: 4.2.x
https://github.com/mongodb/mongo-java-driver/commit/0b441990d8621979c68a45586187f8a12c003f63

Comment by Jeffrey Yemin [ 18/Feb/21 ]

Author:

{'name': 'jyemin', 'email': 'jeff.yemin@mongodb.com', 'username': 'jyemin'}

Message: Fix CVE-2021-20328

JAVA-4017
Branch: 3.11.x
https://github.com/mongodb/mongo-java-driver/commit/dcd67f113549276b44795243d41a442e821d2f57

Comment by Jeffrey Yemin [ 18/Feb/21 ]

Author:

{'name': 'jyemin', 'email': 'jeff.yemin@mongodb.com', 'username': 'jyemin'}

Message: Fix CVE-2021-20328

JAVA-4017
Branch: 3.12.x
https://github.com/mongodb/mongo-java-driver/commit/ae5b1c0644456f1cf195846a37eea82f6248f812

Comment by Githook User [ 18/Feb/21 ]

Author:

{'name': 'jyemin', 'email': 'jeff.yemin@mongodb.com', 'username': 'jyemin'}

Message: Fix CVE-2021-20328

JAVA-4017
Branch: 4.0.x
https://github.com/mongodb/mongo-java-driver/commit/2e258a502b3242b0dd7d5a5952e5cd219fce4c43

Comment by Githook User [ 18/Feb/21 ]

Author:

{'name': 'jyemin', 'email': 'jeff.yemin@mongodb.com', 'username': 'jyemin'}

Message: Fix CVE-2021-20328

JAVA-4017
Branch: 4.1.x
https://github.com/mongodb/mongo-java-driver/commit/2d95b7e8d3bf6175e3e7a22e48c88243e6aa45db

Comment by Githook User [ 18/Feb/21 ]

Author:

{'name': 'jyemin', 'email': 'jeff.yemin@mongodb.com', 'username': 'jyemin'}

Message: Fix CVE-2021-20328

JAVA-4017
Branch: master
https://github.com/mongodb/mongo-java-driver/commit/60d87d5a76645a331a77ccc45ef7c67aac88b234

Generated at Thu Feb 08 09:01:01 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.