[SERVER-36263] Bypassing operation validation in applyOps should require special privilege Created: 24/Jul/18  Updated: 29/Oct/23  Resolved: 10/Mar/21

Status: Closed
Project: Core Server
Component/s: Replication, Security
Affects Version/s: None
Fix Version/s: 4.9.0, 4.2.16, 4.0.27, 4.4.9

Type: Improvement Priority: Major - P3
Reporter: Tess Avitabile (Inactive) Assignee: Moustafa Maher
Resolution: Fixed Votes: 0
Labels: former-quick-wins, nyc
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Depends
Documented
is documented by DOCS-14282 Investigate changes in SERVER-36263: ... Closed
Related
related to SERVER-50381 3 way deadlock between applyOps cmd, ... Closed
related to SERVER-53674 Do not run applyOps commands in the f... Closed
related to SERVER-58247 Using createIndexes in applyOps with ... Closed
related to SERVER-66651 Role "restore" not sufficient for `mo... Closed
is related to SERVER-32952 applyOps does not validate updates Backlog
is related to SERVER-33326 Remove use of applyOps/doTxn from sha... Closed
is related to SERVER-25994 Allow applyOps to validate authorizat... Closed
Backwards Compatibility: Major Change
Backport Requested:
v4.4, v4.2, v4.0
Sprint: Repl 2021-03-08, Repl 2021-03-22
Participants:

 Description   

CVE-2021-20330
Title
Specific replication command with malformed oplog entries can crash secondaries

CVE ID
CVE-2021-20330

Description

An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries.

This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9.

CVSS score
This issue's CVSS:3.1 severity is scored at 6.5 using the following scoring metrics:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Affected versions

MongoDB Server v4.0 versions prior to 4.0.27;

MongoDB Server v4.2 versions prior to 4.2.16;

MongoDB Server v4.4 versions prior to 4.4.9.

CWE
CWE-20 Improper Input Validation

Underlying operating systems affected
ALL

 

As of SERVER-25994, a user can run applyOps if they have the privileges to perform each individual operation specified in the the applyOps command. However, applyOps is more powerful than other commands in that it avoids certain input validation (see SERVER-27096SERVER-32941SERVER-32952, and SERVER-32305). This is done intentionally, since applyOps is supposed to behave similarly to oplog application, where the primary does all validation and the secondary applies the changes exactly as the primary specified without validation. This feature is important to products that mimic oplog application, such as mongomirror and mongorestore. However, users should not be able to bypass validation simply because they have permission to write to a collection. Instead, applyOps should require a special privilege for bypassing validation.

We will create a new privilege bypassing system-level invariants in applyOps. Today, this privilege will be required in order to run applyOps at all, since we have not implemented a version of applyOps that performs validation. The privilege will be included in dbAdminAnyDatabase, which is included in the custom role atlasAdmin and the temporary user that we create for Live Imports (mongomirror).



 Comments   
Comment by Judah Schvimer [ 25/Jan/22 ]

Hi xwzhang@cn.ibm.com,

Thank you for pointing this out! This was indeed a mistake. The fix versions were correct and I have fixed the description to match it. 4.4.6 does not have the fix for the issue, they would have to upgrade to 4.4.9 as you point out.

Thank you and let me know if you have any further questions,
Judah

Comment by Xian Wei Zhang [ 25/Jan/22 ]

Hi MongoDB team,

I see some in-consistent info on this pager, could you help clarify?

The Fix Version is 4.4.9. But Affected versions is 'v4.4 versions prior to 4.4.6'.

When tracking the commits between 4.4.6 and 4.4.9, It seems 4.4.6 does not have the corresponding commit 7e053b....?

https://github.com/mongodb/mongo/compare/r4.4.6...r4.4.9

Our customer is using 4.4.6 enterprise edition, does it have the fix for this issue?

Comment by Githook User [ 04/Aug/21 ]

Author:

{'name': 'Moustafa Maher', 'email': 'm.maher@10gen.com', 'username': 'moustafamaher'}

Message: SERVER-36263 Bypassing operation validation in applyOps should require special privilege
Branch: v4.2
https://github.com/mongodb/mongo/commit/865eccaf35aca29d1b71764d50227cdf853752d0

Comment by Githook User [ 04/Aug/21 ]

Author:

{'name': 'Moustafa Maher', 'email': 'm.maher@10gen.com', 'username': 'moustafamaher'}

Message: SERVER-36263 Bypassing operation validation in applyOps should require special privilege
Branch: v4.0
https://github.com/mongodb/mongo/commit/cbec187266a9f902b3906ae8ccef2bbda0c5b27b

Comment by Githook User [ 04/Aug/21 ]

Author:

{'name': 'Moustafa Maher', 'email': 'm.maher@10gen.com', 'username': 'moustafamaher'}

Message: SERVER-36263 Bypassing operation validation in applyOps should require special privilege
Branch: v4.4
https://github.com/mongodb/mongo/commit/7e053b675b100a31092e5a195e4549712c0966ce

Comment by Githook User [ 09/Mar/21 ]

Author:

{'name': 'Moustafa Maher', 'email': 'm.maher@10gen.com', 'username': 'moustafamaher'}

Message: SERVER-36263 Bypassing operation validation in applyOps should require special privilege
Branch: master
https://github.com/mongodb/mongo/commit/f4a56b57cb8e8fe267dfed4966b52c16dd5b489f

Comment by Spencer Jackson [ 09/Mar/21 ]

Thanks tim.fogarty! To answer your question, yes, users will need both the new privilege we're creating and the privileges needed to perform the underlying operation.

Comment by Tim Fogarty [ 09/Mar/21 ]

Hey spencer.jackson, yes, that should be totally fine. We tell users to create a custom role with anyAction on anyResource when using --oplogReplay. Just wanted to check, with the new privilege, users will still need the privileges necessary to run the underlying op too?

Comment by Ian Whalen (Inactive) [ 17/Aug/18 ]

Assigning to repl since this is applyOps as per Spencer's last comment.

Comment by Tess Avitabile (Inactive) [ 25/Jul/18 ]

Yes, I think applyOps as it is today should require a special privilege to run. Alternatively, we could implement validation for all those tickets and have an option to applyOps to bypass validation and make that option require a special privilege.

Comment by Eric Milkie [ 25/Jul/18 ]

If we add this special privilege before we actually implement validation in applyOps for those server tickets mentioned in the description, wouldn't that effectively make applyOps require that privilege to use it at all?

Generated at Thu Feb 08 04:42:34 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.