[SERVER-4216] [SECURITY] mongodb 10gen debian package listens on all interfaces by default Created: 04/Nov/11  Updated: 11/Jul/16  Resolved: 08/Apr/14

Status: Closed
Project: Core Server
Component/s: Packaging, Security
Affects Version/s: None
Fix Version/s: 2.6.0-rc0

Type: Bug Priority: Critical - P2
Reporter: Roman Shtylman Assignee: Andreas Nilsson
Resolution: Done Votes: 2
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Debian Testing


Issue Links:
Related
is related to SERVER-792 Bind to localhost by default in RPM a... Closed
Backwards Compatibility: Fully Compatible
Operating System: Linux
Sprint: Security [00-02-20-15]
Participants:

 Description   

The default install of mongodb from the repo:
http://downloads-distro.mongodb.org/repo/debian-sysvinit

Does not have a "bind_ip 127.0.0.1" option set in the mongodb.conf. This leaves a users server vulnerable if they are not aware of this setting. The default should be to lockdown as much as possible and only expose if the user requests it.



 Comments   
Comment by Andreas Nilsson [ 08/Apr/14 ]

Binding to localhost on Debian by default

Comment by Roman Shtylman [ 11/Feb/12 ]

I agree, but I think it is very important that an updated packages get out there asap. Since mongodb ships with no auth by default this leaves many people completely vulnerable without realizing it.

Comment by Eliot Horowitz (Inactive) [ 02/Feb/12 ]

This will break current deployments - so will need to be heavily documented and easy to debug.

Generated at Thu Feb 08 03:05:18 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.