[SERVER-20691] Vulnerability in LDAP authentication Created: 29/Sep/15  Updated: 07/Jun/17  Resolved: 30/Sep/15

Status: Closed
Project: Core Server
Component/s: Internal Code
Affects Version/s: None
Fix Version/s: 3.0.7, 3.1.9

Type: Bug Priority: Major - P3
Reporter: Spencer Jackson Assignee: Spencer Jackson
Resolution: Done Votes: 0
Labels: asp, asp-cve, asp-sdl-internalassessment, asp-vuln-authbypass
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Documented
Related
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Completed:
Sprint: Security A 10/09/15
Participants:

 Description   
Issue Status as of Dec 02, 2015

ISSUE SUMMARY
A vulnerability in MongoDB Enterprise 3.0.0 through 3.0.6 may allow a user to gain unauthorized access to a MongoDB instance or cluster. Only deployments using LDAP authentication are affected by this vulnerability.

This vulnerability has been assigned CVE-2015-7882.

To determine if your deployment is affected, run the following command on any node in your cluster:

db.adminCommand({getParameter: 1, authenticationMechanisms: 1})

If the output contains the word “PLAIN” then your installation is vulnerable. The following example shows the output of the above command in a vulnerable installation:

> db.adminCommand({getParameter: 1, authenticationMechanisms: 1})
{ "authenticationMechanisms" : [ "PLAIN" ], "ok" : 1 }

USER IMPACT
It is possible to gain unauthorized access to an instance or cluster running an affected version of MongoDB Enterprise with LDAP authentication enabled. The Community edition of MongoDB is not affected by this vulnerability.

WORKAROUNDS
There are no workarounds for this issue. Impacted users must upgrade to MongoDB 3.0.7 as soon as possible.

AFFECTED VERSIONS
MongoDB Enterprise 3.0.0 through 3.0.6 (inclusive).

FIX VERSION
The fix is included in the 3.0.7 production release.



 Comments   
Comment by Githook User [ 02/Dec/15 ]

Author:

{u'username': u'Boomtime', u'name': u'Boomtime', u'email': u'andrew.ryder@10gen.com'}

Message: PLAIN does not work for in-database users in 3.0

See SERVER-20691, and HELP-1536 for extra context.

Signed-off-by: kay <kay.kim@10gen.com>
Branch: master
https://github.com/mongodb/docs/commit/47dac57419433ac23c7b5449f6d0a2448205750f

Comment by Githook User [ 02/Dec/15 ]

Author:

{u'username': u'Boomtime', u'name': u'Boomtime', u'email': u'andrew.ryder@10gen.com'}

Message: PLAIN does not work for in-database users in 3.0

See SERVER-20691, and HELP-1536 for extra context.

Signed-off-by: kay <kay.kim@10gen.com>
Branch: v3.0
https://github.com/mongodb/docs/commit/787c8b2b3344cc0f035ea95f54adef5c6abb89d9

Comment by Githook User [ 13/Oct/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-20691 Improve SASL and SCRAM compatibility
Branch: artree
https://github.com/10gen/mongo-enterprise-modules/commit/bd217484dfd86e53b6497c4f32bf876913444a84

Comment by Githook User [ 30/Sep/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-20691 Improve SASL and SCRAM compatibility
Branch: v3.0
https://github.com/10gen/mongo-enterprise-modules/commit/9a5a13d62da29b994bd78359ed30f85e0b39f190

Comment by Githook User [ 30/Sep/15 ]

Author:

{u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}

Message: SERVER-20691 Improve SASL and SCRAM compatibility
Branch: master
https://github.com/10gen/mongo-enterprise-modules/commit/bd217484dfd86e53b6497c4f32bf876913444a84

Generated at Thu Feb 08 03:54:59 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.