<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 03:45:02 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-17610] Vulnerable OpenSSL version used in Windows build</title>
                <link>https://jira.mongodb.org/browse/SERVER-17610</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;I just downloaded the &quot;win32/mongodb-win32-x86_64-2008plus-ssl-v3.0-latest.zip&quot; from the build archive, extracted the server and started it. &lt;/p&gt;

&lt;p&gt;According to the log it is version &quot;db version v3.0.1-rc1-pre-&quot;&lt;/p&gt;

&lt;p&gt;In the log output I noticed the output&lt;br/&gt;
&quot;OpenSSL version: OpenSSL 0.9.8r 8 Feb 2011&quot;&lt;/p&gt;

&lt;p&gt;I hope this is a joke. I just don&apos;t want to know how many known vulnerabilities  are included in this version. I assume at least one will be relevant for Mongo!&lt;/p&gt;</description>
                <environment></environment>
        <key id="189787">SERVER-17610</key>
            <summary>Vulnerable OpenSSL version used in Windows build</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="9">Done</resolution>
                                        <assignee username="jonathan.reams@mongodb.com">Jonathan Reams</assignee>
                                    <reporter username="mango">Jan S.</reporter>
                        <labels>
                    </labels>
                <created>Mon, 16 Mar 2015 16:39:33 +0000</created>
                <updated>Fri, 20 Mar 2015 16:56:59 +0000</updated>
                            <resolved>Wed, 18 Mar 2015 15:21:35 +0000</resolved>
                                    <version>3.0.1</version>
                                                    <component>Security</component>
                                        <votes>0</votes>
                                    <watches>12</watches>
                                                                                                                <comments>
                            <comment id="855655" author="jonathan.reams@10gen.com" created="Tue, 17 Mar 2015 14:54:03 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=mango&quot; class=&quot;user-hover&quot; rel=&quot;mango&quot;&gt;mango&lt;/a&gt;, the SSL-enabled builds are a new feature of 3.0, and the MSI is the preferred and most-supported method of installation. The &quot;2k8plus-ssl&quot; in the file name actually means that it&apos;s built to be compatible with windows 2008 and above, and is linked against SSL, rather than built on windows 2008 and includes SSL; sorry for the confusion. We do already have a ticket, &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-17368&quot; title=&quot;Create windows SSL zip file with OpenSSL files&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-17368&quot;&gt;&lt;del&gt;SERVER-17368&lt;/del&gt;&lt;/a&gt;, to add the SSL libraries to the zip files. In the meantime, I would strongly recommend using the MSIs on windows if you&apos;re using the SSL-enabled build.&lt;/p&gt;</comment>
                            <comment id="853331" author="mango" created="Mon, 16 Mar 2015 20:06:31 +0000"  >&lt;p&gt;First of all, that the MSI contains more than the zip is unexpected. Especially as the filename contains the string &quot;plus-ssl&quot;.&lt;/p&gt;

&lt;p&gt;Second on Windows it is a very bad idea relying on existing non-standard DLLs to be installed. The DLL search path contains the PATH environment variable, therefore not only libraries in the Windows system32 directory are loaded. As a lot of applications put themselves onto the PATH it is unclear which libraries will be loaded.&lt;/p&gt;

&lt;p&gt;Luckily I did not made my tests on a productive system. On the test system I started Mongo on, the &quot;winner&quot; turned out an old installation of the &quot;Intel Trusted Connect Service Client&quot;. Even as a security aware person I did not had that software on my list of software that may cause my system to become insecure...&lt;/p&gt;

&lt;p&gt;Furthermore I tested some libssl32.dll/libeay32.dll I found on my system and copied them into the mongo/bin directory. They were ignored by mongo - I assume because they were incompatible (other compiler -&amp;gt; other calling convention?). Only the two libraries from the MSI version (and those from the old Intel TCSC installation) worked as expected.&lt;/p&gt;

&lt;p&gt;Hence I strongly recommend to include these libraries also in the ZIP version...&lt;/p&gt;</comment>
                            <comment id="853170" author="jonathan.reams@10gen.com" created="Mon, 16 Mar 2015 18:18:37 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=mango&quot; class=&quot;user-hover&quot; rel=&quot;mango&quot;&gt;mango&lt;/a&gt;, MongoDB is built, tested, and distributed with (in the MSI) OpenSSL 1.0.1j. However, the zip files don&apos;t include a copy of the OpenSSL libraries they&apos;re built with. We strongly recommend that you use the MSI installer because they do include OpenSSL. Otherwise, Windows will run MongoDB with whatever copy of OpenSSL is installed on your system.&lt;/p&gt;

&lt;p&gt;If you want to use the zip files, you should put a copy of the OpenSSL libraries into the same directory as the MongoDB executables, or update the OpenSSL libraries already installed on your system. If there are no OpenSSL libraries installed on your system, there should be a system error that says &quot;The program can&apos;t start because LIBEAY32.dll is missing from your computer.&quot;&lt;/p&gt;

&lt;p&gt;Can you check in c:\windows\system32 for two files called libeay32.sll and ssleay32.dll?&lt;/p&gt;</comment>
                            <comment id="853084" author="andreas.nilsson@10gen.com" created="Mon, 16 Mar 2015 17:38:49 +0000"  >&lt;p&gt;Thanks for your report &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=mango&quot; class=&quot;user-hover&quot; rel=&quot;mango&quot;&gt;mango&lt;/a&gt;. Can you provide the exact location of where you downloaded the binary.&lt;/p&gt;

&lt;p&gt;Also, was there an existing instance of OpenSSL running on the server before you launched mongo?&lt;/p&gt;

&lt;p&gt;Thank you,&lt;br/&gt;
Andreas&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="185968">SERVER-17368</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 16 Mar 2015 16:53:37 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        8 years, 48 weeks, 1 day ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>crystal.horn@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            8 years, 48 weeks, 1 day ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10022"><![CDATA[Windows]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>andreas.nilsson</customfieldvalue>
            <customfieldvalue>mango</customfieldvalue>
            <customfieldvalue>jonathan.reams@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrlamf:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hrexzr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="426">BUILD 0 3/13/15</customfieldvalue>
    <customfieldvalue id="453">BUILD 1 04/03/15</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hrnumn:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>