[SERVER-38984] Attach IDs to users Created: 14/Jan/19  Updated: 29/Oct/23  Resolved: 14/Feb/19

Status: Closed
Project: Core Server
Component/s: Internal Code, Security
Affects Version/s: None
Fix Version/s: 3.4.22, 3.6.13, 4.0.9, 4.1.9

Type: Task Priority: Major - P3
Reporter: Spencer Jackson Assignee: Sara Golemon
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Documented
is documented by DOCS-12482 Docs for SERVER-38984: Attach IDs to ... Closed
Problem/Incident
Related
Backwards Compatibility: Major Change
Backport Requested:
v4.0, v3.6, v3.4
Sprint: Security 2019-01-28, Security 2019-02-11, Security 2019-02-25
Participants:
Case:

 Description   
CVE-2019-2386

Description
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.

Workarounds
After deleting one or more users, restart any nodes which may have had active user authorization sessions.

Refrain from creating user accounts with the same name as previously deleted accounts.

Credit
Discovered by Mitch Wasson of Cisco's Advanced Malware Protection Group.



 Comments   
Comment by Githook User [ 08/Jun/19 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-38984 Validate unique User ID on UserCache hit

(cherry picked from commit e55d6e2292e5dbe2f97153251d8193d1cc89f5d7)
Branch: v3.4
https://github.com/mongodb/mongo/commit/64d8e9e1b12d16b54d6a592bae8110226c491b4e

Comment by Githook User [ 17/May/19 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-38984 Validate unique User ID on UserCache hit

(cherry picked from commit e55d6e2292e5dbe2f97153251d8193d1cc89f5d7)
Branch: v3.6
https://github.com/mongodb/mongo/commit/db19e7ce84cfd702a4ba9983ee2ea5019f470f82

Comment by Githook User [ 30/Mar/19 ]

Author:

{'name': 'Sara Golemon', 'username': 'sgolemon', 'email': 'sara.golemon@mongodb.com'}

Message: SERVER-38984 Validate unique User ID on UserCache hit

(cherry picked from commit e55d6e2292e5dbe2f97153251d8193d1cc89f5d7)
Branch: v4.0
https://github.com/mongodb/mongo/commit/6dfb92b1299de04677d0bd2230e89a52eb01003c

Comment by Githook User [ 14/Feb/19 ]

Author:

{'name': 'Sara Golemon', 'email': 'sara.golemon@mongodb.com', 'username': 'sgolemon'}

Message: SERVER-38984 Validate unique User ID on UserCache hit
Branch: master
https://github.com/mongodb/mongo/commit/e55d6e2292e5dbe2f97153251d8193d1cc89f5d7

Generated at Thu Feb 08 04:50:39 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.