[SERVER-73662] tlsClusterCAFile is not being used to validate client certificates on Windows Created: 06/Feb/23  Updated: 24/Jan/24  Resolved: 12/May/23

Status: Closed
Project: Core Server
Component/s: None
Affects Version/s: None
Fix Version/s: 7.1.0-rc0, 6.0.7, 5.0.19, 4.4.23, 7.0.0-rc2

Type: Bug Priority: Major - P3
Reporter: Erwin Pe Assignee: Adrian Gonzalez Montemayor
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Backports
Related
is related to SERVER-77028 tlsClusterCAFile is not being used to... Closed
Assigned Teams:
Server Security
Backwards Compatibility: Fully Compatible
Operating System: ALL
Backport Requested:
v7.0, v6.3, v6.0, v5.0, v4.4
Sprint: Security 2023-04-17, Security 2023-05-01, Security 2023-05-15
Participants:

 Description   
CVE-2023-1409

Title:

Certificate validation issue in MongoDB Server running on Windows or macOS

CVE:

CVE-2023-1409

Description:

If the MongoDB Server running on Windows or macOS is configured to use TLS with a specific set of configuration options that are already known to work securely in other platforms (e.g. Linux), it is possible that client certificate validation may not be in effect, potentially allowing client to establish a TLS connection with the server that supplies any certificate.

This issue affect all MongoDB Server v6.3 versions, MongoDB Server v5.0 versions v5.0.0 to v5.0.14, all MongoDB Server v4.4 versions.

CVSS Score:{}

 This issue's CVSS:3.1 severity is scored at 5.3 using the following scoring metrics:
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

All Affected Product Versions:

MongoDB Server 6.3 

MongoDB Server v5.0 versions v5.0.0 to v5.0.14

All MongoDB Server v4.4 versions

CWE:
CWE-295: Improper Certificate Validation

How was the Issue Found? (Internally/Externally):

Internally

Public Reference:

SERVER-73662 SERVER-77028



 Comments   
Comment by Githook User [ 16/May/23 ]

Author:

{'name': 'Adrian Gonzalez', 'email': 'adriangonzalezmontemayor@gmail.com', 'username': 'adriangzz'}

Message: SERVER-73662 tlsClusterCAFile is not being used to validate client certificates on Windows
Branch: v7.0
https://github.com/mongodb/mongo/commit/0e1191bd32303bf5b973f9ddc4e2893ce5a95c92

Comment by Githook User [ 16/May/23 ]

Author:

{'name': 'Adrian Gonzalez', 'email': 'adriangonzalezmontemayor@gmail.com', 'username': 'adriangzz'}

Message: SERVER-73662 tlsClusterCAFile is not being used to validate client certificates on Windows
Branch: v5.0
https://github.com/mongodb/mongo/commit/340341061cbfcdfcc38ffb307e53ade50e082999

Comment by Githook User [ 15/May/23 ]

Author:

{'name': 'Adrian Gonzalez', 'email': 'adriangonzalezmontemayor@gmail.com', 'username': 'adriangzz'}

Message: SERVER-73662 tlsClusterCAFile is not being used to validate client certificates on Windows
Branch: v6.0
https://github.com/mongodb/mongo/commit/12839194cc191961492564d0aa4e0ba70eaae836

Comment by Githook User [ 15/May/23 ]

Author:

{'name': 'Adrian Gonzalez', 'email': 'adriangonzalezmontemayor@gmail.com', 'username': 'adriangzz'}

Message: SERVER-73662 tlsClusterCAFile is not being used to validate client certificates on Windows
Branch: v4.4
https://github.com/mongodb/mongo/commit/78c7716c2d6b39b784f8fba490b6dcead2f62266

Comment by Githook User [ 12/May/23 ]

Author:

{'name': 'Adrian Gonzalez', 'email': 'adriangonzalezmontemayor@gmail.com', 'username': 'adriangzz'}

Message: SERVER-73662 tlsClusterCAFile is not being used to validate client certificates on Windows
Branch: master
https://github.com/mongodb/mongo/commit/eb05490c36d7d21ccb142984b6d83c6f30146ae6

Generated at Thu Feb 08 06:25:17 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.