[SERVER-36263] Bypassing operation validation in applyOps should require special privilege Created: 24/Jul/18 Updated: 29/Oct/23 Resolved: 10/Mar/21 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Replication, Security |
| Affects Version/s: | None |
| Fix Version/s: | 4.9.0, 4.2.16, 4.0.27, 4.4.9 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Tess Avitabile (Inactive) | Assignee: | Moustafa Maher |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | former-quick-wins, nyc | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Backwards Compatibility: | Major Change | ||||||||||||||||||||||||||||||||||||||||||||||||
| Backport Requested: |
v4.4, v4.2, v4.0
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Sprint: | Repl 2021-03-08, Repl 2021-03-22 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||||||||||||||||||||||
| Description |
|
CVE-2021-20330 CVE ID Description An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9. CVSS score Affected versions MongoDB Server v4.0 versions prior to 4.0.27; MongoDB Server v4.2 versions prior to 4.2.16; MongoDB Server v4.4 versions prior to 4.4.9. CWE Underlying operating systems affected
As of We will create a new privilege bypassing system-level invariants in applyOps. Today, this privilege will be required in order to run applyOps at all, since we have not implemented a version of applyOps that performs validation. The privilege will be included in dbAdminAnyDatabase, which is included in the custom role atlasAdmin and the temporary user that we create for Live Imports (mongomirror). |
| Comments |
| Comment by Judah Schvimer [ 25/Jan/22 ] |
|
Thank you for pointing this out! This was indeed a mistake. The fix versions were correct and I have fixed the description to match it. 4.4.6 does not have the fix for the issue, they would have to upgrade to 4.4.9 as you point out. Thank you and let me know if you have any further questions, |
| Comment by Xian Wei Zhang [ 25/Jan/22 ] |
|
Hi MongoDB team, I see some in-consistent info on this pager, could you help clarify? The Fix Version is 4.4.9. But Affected versions is 'v4.4 versions prior to 4.4.6'. When tracking the commits between 4.4.6 and 4.4.9, It seems 4.4.6 does not have the corresponding commit 7e053b....? https://github.com/mongodb/mongo/compare/r4.4.6...r4.4.9 Our customer is using 4.4.6 enterprise edition, does it have the fix for this issue? |
| Comment by Githook User [ 04/Aug/21 ] |
|
Author: {'name': 'Moustafa Maher', 'email': 'm.maher@10gen.com', 'username': 'moustafamaher'}Message: |
| Comment by Githook User [ 04/Aug/21 ] |
|
Author: {'name': 'Moustafa Maher', 'email': 'm.maher@10gen.com', 'username': 'moustafamaher'}Message: |
| Comment by Githook User [ 04/Aug/21 ] |
|
Author: {'name': 'Moustafa Maher', 'email': 'm.maher@10gen.com', 'username': 'moustafamaher'}Message: |
| Comment by Githook User [ 09/Mar/21 ] |
|
Author: {'name': 'Moustafa Maher', 'email': 'm.maher@10gen.com', 'username': 'moustafamaher'}Message: |
| Comment by Spencer Jackson [ 09/Mar/21 ] |
|
Thanks tim.fogarty! To answer your question, yes, users will need both the new privilege we're creating and the privileges needed to perform the underlying operation. |
| Comment by Tim Fogarty [ 09/Mar/21 ] |
|
Hey spencer.jackson, yes, that should be totally fine. We tell users to create a custom role with anyAction on anyResource when using --oplogReplay. Just wanted to check, with the new privilege, users will still need the privileges necessary to run the underlying op too? |
| Comment by Ian Whalen (Inactive) [ 17/Aug/18 ] |
|
Assigning to repl since this is applyOps as per Spencer's last comment. |
| Comment by Tess Avitabile (Inactive) [ 25/Jul/18 ] |
|
Yes, I think applyOps as it is today should require a special privilege to run. Alternatively, we could implement validation for all those tickets and have an option to applyOps to bypass validation and make that option require a special privilege. |
| Comment by Eric Milkie [ 25/Jul/18 ] |
|
If we add this special privilege before we actually implement validation in applyOps for those server tickets mentioned in the description, wouldn't that effectively make applyOps require that privilege to use it at all? |