<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 09:01:01 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[JAVA-4017] Fix CVE-2021-20328</title>
                <link>https://jira.mongodb.org/browse/JAVA-4017</link>
                <project id="10006" key="JAVA">Java Driver</project>
                    <description>&lt;p&gt;Fix CVE-2021-20328&lt;/p&gt;

&lt;p&gt;&lt;b&gt;CVE ID:&lt;/b&gt;&#160;CVE-2021-20328&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Title:&lt;/b&gt;&#160;MongoDB Java driver client-side field level encryption not verifying KMS host name&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Description&lt;/b&gt;: Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server&#8217;s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don&#8217;t use Field Level Encryption.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;CVSS Score:&lt;/b&gt;&#160;6.4&#160;&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Exact affected versions:&lt;/b&gt;&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;mongo-java-driver, mongodb-driver, mongodb-driver-sync, mongodb-driver-legacy: 3.11.0 - 3.11.2, 3.12.0 - 3.12.7&lt;/li&gt;
	&lt;li&gt;mongodb-driver-sync, mongodb-driver-legacy: 4.0.0 - 4.0.5, 4.1.0 - 4.1.1, 4.2.0&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;&lt;b&gt;Is fixed version available:&lt;/b&gt;&#160;Yes.&#160; Fixed versions:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;mongo-java-driver, mongodb-driver, mongodb-driver-sync, mongodb-driver-legacy: 3.11.3, 3.12.8.&lt;/li&gt;
	&lt;li&gt;mongodb-driver-sync, mongodb-driver-legacy: 4.0.6, 4.1.2, 4.2.1&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;&lt;b&gt;Underlying operating systems affected:&lt;/b&gt;&#160;All&lt;/p&gt;

&lt;p&gt;&lt;b&gt;How the issue was discovered:&lt;/b&gt;&#160;Internally&lt;/p&gt;</description>
                <environment></environment>
        <key id="1626041">JAVA-4017</key>
            <summary>Fix CVE-2021-20328</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="jeff.yemin@mongodb.com">Jeffrey Yemin</assignee>
                                    <reporter username="jeff.yemin@mongodb.com">Jeffrey Yemin</reporter>
                        <labels>
                    </labels>
                <created>Wed, 17 Feb 2021 17:41:59 +0000</created>
                <updated>Sat, 28 Oct 2023 11:21:24 +0000</updated>
                            <resolved>Thu, 18 Feb 2021 21:02:38 +0000</resolved>
                                                    <fixVersion>3.11.3</fixVersion>
                    <fixVersion>3.12.8</fixVersion>
                    <fixVersion>4.0.6</fixVersion>
                    <fixVersion>4.1.2</fixVersion>
                    <fixVersion>4.2.1</fixVersion>
                                    <component>Client Side Encryption</component>
                                        <votes>0</votes>
                                    <watches>2</watches>
                                                                                                                <comments>
                            <comment id="3623897" author="jeff.yemin" created="Thu, 18 Feb 2021 20:28:59 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;jyemin&apos;, &apos;email&apos;: &apos;jeff.yemin@mongodb.com&apos;, &apos;username&apos;: &apos;jyemin&apos;}
&lt;p&gt;Message: Fix CVE-2021-20328&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-4017&quot; title=&quot;Fix CVE-2021-20328&quot; class=&quot;issue-link&quot; data-issue-key=&quot;JAVA-4017&quot;&gt;&lt;del&gt;JAVA-4017&lt;/del&gt;&lt;/a&gt;&lt;br/&gt;
Branch: 4.2.x&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-java-driver/commit/0b441990d8621979c68a45586187f8a12c003f63&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-java-driver/commit/0b441990d8621979c68a45586187f8a12c003f63&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3623843" author="jeff.yemin" created="Thu, 18 Feb 2021 20:02:29 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;jyemin&apos;, &apos;email&apos;: &apos;jeff.yemin@mongodb.com&apos;, &apos;username&apos;: &apos;jyemin&apos;}
&lt;p&gt;Message: Fix CVE-2021-20328&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-4017&quot; title=&quot;Fix CVE-2021-20328&quot; class=&quot;issue-link&quot; data-issue-key=&quot;JAVA-4017&quot;&gt;&lt;del&gt;JAVA-4017&lt;/del&gt;&lt;/a&gt;&lt;br/&gt;
Branch: 3.11.x&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-java-driver/commit/dcd67f113549276b44795243d41a442e821d2f57&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-java-driver/commit/dcd67f113549276b44795243d41a442e821d2f57&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3623842" author="jeff.yemin" created="Thu, 18 Feb 2021 20:01:46 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;jyemin&apos;, &apos;email&apos;: &apos;jeff.yemin@mongodb.com&apos;, &apos;username&apos;: &apos;jyemin&apos;}
&lt;p&gt;Message: Fix CVE-2021-20328&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-4017&quot; title=&quot;Fix CVE-2021-20328&quot; class=&quot;issue-link&quot; data-issue-key=&quot;JAVA-4017&quot;&gt;&lt;del&gt;JAVA-4017&lt;/del&gt;&lt;/a&gt;&lt;br/&gt;
Branch: 3.12.x&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-java-driver/commit/ae5b1c0644456f1cf195846a37eea82f6248f812&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-java-driver/commit/ae5b1c0644456f1cf195846a37eea82f6248f812&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3623773" author="xgen-internal-githook" created="Thu, 18 Feb 2021 19:27:30 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;jyemin&apos;, &apos;email&apos;: &apos;jeff.yemin@mongodb.com&apos;, &apos;username&apos;: &apos;jyemin&apos;}
&lt;p&gt;Message: Fix CVE-2021-20328&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-4017&quot; title=&quot;Fix CVE-2021-20328&quot; class=&quot;issue-link&quot; data-issue-key=&quot;JAVA-4017&quot;&gt;&lt;del&gt;JAVA-4017&lt;/del&gt;&lt;/a&gt;&lt;br/&gt;
Branch: 4.0.x&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-java-driver/commit/2e258a502b3242b0dd7d5a5952e5cd219fce4c43&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-java-driver/commit/2e258a502b3242b0dd7d5a5952e5cd219fce4c43&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3623772" author="xgen-internal-githook" created="Thu, 18 Feb 2021 19:26:44 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;jyemin&apos;, &apos;email&apos;: &apos;jeff.yemin@mongodb.com&apos;, &apos;username&apos;: &apos;jyemin&apos;}
&lt;p&gt;Message: Fix CVE-2021-20328&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-4017&quot; title=&quot;Fix CVE-2021-20328&quot; class=&quot;issue-link&quot; data-issue-key=&quot;JAVA-4017&quot;&gt;&lt;del&gt;JAVA-4017&lt;/del&gt;&lt;/a&gt;&lt;br/&gt;
Branch: 4.1.x&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-java-driver/commit/2d95b7e8d3bf6175e3e7a22e48c88243e6aa45db&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-java-driver/commit/2d95b7e8d3bf6175e3e7a22e48c88243e6aa45db&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3623620" author="xgen-internal-githook" created="Thu, 18 Feb 2021 18:29:01 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;jyemin&apos;, &apos;email&apos;: &apos;jeff.yemin@mongodb.com&apos;, &apos;username&apos;: &apos;jyemin&apos;}
&lt;p&gt;Message: Fix CVE-2021-20328&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/browse/JAVA-4017&quot; title=&quot;Fix CVE-2021-20328&quot; class=&quot;issue-link&quot; data-issue-key=&quot;JAVA-4017&quot;&gt;&lt;del&gt;JAVA-4017&lt;/del&gt;&lt;/a&gt;&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo-java-driver/commit/60d87d5a76645a331a77ccc45ef7c67aac88b234&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo-java-driver/commit/60d87d5a76645a331a77ccc45ef7c67aac88b234&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hyh1qv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>