[SERVER-17610] Vulnerable OpenSSL version used in Windows build Created: 16/Mar/15  Updated: 20/Mar/15  Resolved: 18/Mar/15

Status: Closed
Project: Core Server
Component/s: Security
Affects Version/s: 3.0.1
Fix Version/s: None

Type: Bug Priority: Major - P3
Reporter: Jan S. Assignee: Jonathan Reams
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Related
related to SERVER-17368 Create windows SSL zip file with Open... Closed
Operating System: Windows
Sprint: BUILD 0 3/13/15, BUILD 1 04/03/15
Participants:

 Description   

I just downloaded the "win32/mongodb-win32-x86_64-2008plus-ssl-v3.0-latest.zip" from the build archive, extracted the server and started it.

According to the log it is version "db version v3.0.1-rc1-pre-"

In the log output I noticed the output
"OpenSSL version: OpenSSL 0.9.8r 8 Feb 2011"

I hope this is a joke. I just don't want to know how many known vulnerabilities are included in this version. I assume at least one will be relevant for Mongo!



 Comments   
Comment by Jonathan Reams [ 17/Mar/15 ]

mango, the SSL-enabled builds are a new feature of 3.0, and the MSI is the preferred and most-supported method of installation. The "2k8plus-ssl" in the file name actually means that it's built to be compatible with windows 2008 and above, and is linked against SSL, rather than built on windows 2008 and includes SSL; sorry for the confusion. We do already have a ticket, SERVER-17368, to add the SSL libraries to the zip files. In the meantime, I would strongly recommend using the MSIs on windows if you're using the SSL-enabled build.

Comment by Jan S. [ 16/Mar/15 ]

First of all, that the MSI contains more than the zip is unexpected. Especially as the filename contains the string "plus-ssl".

Second on Windows it is a very bad idea relying on existing non-standard DLLs to be installed. The DLL search path contains the PATH environment variable, therefore not only libraries in the Windows system32 directory are loaded. As a lot of applications put themselves onto the PATH it is unclear which libraries will be loaded.

Luckily I did not made my tests on a productive system. On the test system I started Mongo on, the "winner" turned out an old installation of the "Intel Trusted Connect Service Client". Even as a security aware person I did not had that software on my list of software that may cause my system to become insecure...

Furthermore I tested some libssl32.dll/libeay32.dll I found on my system and copied them into the mongo/bin directory. They were ignored by mongo - I assume because they were incompatible (other compiler -> other calling convention?). Only the two libraries from the MSI version (and those from the old Intel TCSC installation) worked as expected.

Hence I strongly recommend to include these libraries also in the ZIP version...

Comment by Jonathan Reams [ 16/Mar/15 ]

mango, MongoDB is built, tested, and distributed with (in the MSI) OpenSSL 1.0.1j. However, the zip files don't include a copy of the OpenSSL libraries they're built with. We strongly recommend that you use the MSI installer because they do include OpenSSL. Otherwise, Windows will run MongoDB with whatever copy of OpenSSL is installed on your system.

If you want to use the zip files, you should put a copy of the OpenSSL libraries into the same directory as the MongoDB executables, or update the OpenSSL libraries already installed on your system. If there are no OpenSSL libraries installed on your system, there should be a system error that says "The program can't start because LIBEAY32.dll is missing from your computer."

Can you check in c:\windows\system32 for two files called libeay32.sll and ssleay32.dll?

Comment by Andreas Nilsson [ 16/Mar/15 ]

Thanks for your report mango. Can you provide the exact location of where you downloaded the binary.

Also, was there an existing instance of OpenSSL running on the server before you launched mongo?

Thank you,
Andreas

Generated at Thu Feb 08 03:45:02 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.