<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 04:40:23 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-35610] Refine LDAP options parsing</title>
                <link>https://jira.mongodb.org/browse/SERVER-35610</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;div class=&quot;panel&quot; style=&quot;background-color: #EEEEEE;border-color: #ccc;border-width: 1px;&quot;&gt;&lt;div class=&quot;panelHeader&quot; style=&quot;border-bottom-width: 1px;border-bottom-color: #ccc;background-color: #6CB33F;&quot;&gt;&lt;b&gt;Issue Status as of Jul 25, 2018&lt;/b&gt;&lt;/div&gt;&lt;div class=&quot;panelContent&quot; style=&quot;background-color: #EEEEEE;&quot;&gt;
&lt;p&gt;&lt;b&gt;ISSUE DESCRIPTION AND IMPACT&lt;/b&gt;&lt;br/&gt;
In MongoDB Enterprise, when a mongod server accepts authentication attempts via the PLAIN mechanism on the &lt;tt&gt;$external&lt;/tt&gt; database and is configured to use the Cyrus SASL GSSAPI mechanism for LDAP binding, then passwords are not validated.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;DIAGNOSIS AND AFFECTED VERSIONS&lt;/b&gt;&lt;br/&gt;
Users running MongoDB Enterprise 3.4 or 3.6 may be affected by this issue under the following conditions:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;MongoDB is on Linux or macOS, and&lt;/li&gt;
	&lt;li&gt;The PLAIN authentication mechanism on MongoDB is enabled (--setParameter&lt;br/&gt;
authenticationMechanisms=PLAIN), and either
	&lt;ul&gt;
		&lt;li&gt;MongoDB is configured to use native&lt;br/&gt;
LDAP authentication, and MongoDB is configured to use the Cyrus SASL GSSAPI&lt;br/&gt;
mechanism to bind to LDAP servers by setting security.ldap.bind.saslMechanisms&lt;br/&gt;
to contain &apos;GSSAPI&apos;, or&lt;/li&gt;
		&lt;li&gt;MongoDB is configured to use saslauthd with the LDAP backend and with ldap_mech set to &apos;GSSAPI&apos;&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;When all these conditions are present, authentication to the &lt;tt&gt;$external&lt;/tt&gt; database is possible using only LDAP usernames. Unfortunately there is no way to determine if this vulnerability has been exploited by a malicious client.&lt;/p&gt;

&lt;p&gt;None of the following deployments are affected by this issue:&lt;/p&gt;
&lt;ul&gt;
	&lt;li&gt;MongoDB 3.2 and MongoDB 4.0 deployments&lt;/li&gt;
	&lt;li&gt;MongoDB deployments running on Microsoft Windows&lt;/li&gt;
	&lt;li&gt;MongoDB deployments that have not been configured to use the Cyrus SASL GSSAPI mechanism to bind to LDAP servers&lt;/li&gt;
	&lt;li&gt;MongoDB deployments that use the Cyrus SASL GSSAPI mechanism for LDAP authorization, but do not accept authentication attempts with the PLAIN authentication mechanism.&lt;/li&gt;
	&lt;li&gt;MongoDB deployments that use the Cyrus SASL GSSAPI mechanism to bind to LDAP servers during LDAP authorization, which delegate inbound PLAIN authentication attempts to an instance of saslauthd that binds to LDAP servers via a mechanism other than GSSAPI.&lt;/li&gt;
&lt;/ul&gt;



&lt;p&gt;&lt;b&gt;REMEDIATION AND WORKAROUNDS&lt;/b&gt;&lt;br/&gt;
There are several solutions which may be used to mitigate this issue:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;h5&gt;&lt;a name=&quot;Option1&quot;&gt;&lt;/a&gt;Option 1&lt;/h5&gt;
&lt;p&gt;Administrators may disable the PLAIN mechanism for MongoDB, by removing &apos;PLAIN&apos; from the authenticationMechanisms setParameter.
&lt;br class=&quot;atl-forced-newline&quot; /&gt;
&lt;br class=&quot;atl-forced-newline&quot; /&gt;&lt;/p&gt;&lt;/li&gt;
	&lt;li&gt;&lt;h5&gt;&lt;a name=&quot;Option2&quot;&gt;&lt;/a&gt;Option 2&lt;/h5&gt;
&lt;p&gt;If the LDAP service account password is known, and MongoDB must accept inbound authentication attempts using the PLAIN mechanism, remove the ability to bind to LDAP servers using the Cyrus SASL GSSAPI mechanism. This can be done by changing the &lt;a href=&quot;https://docs.mongodb.com/manual/reference/configuration-options/#security.ldap.bind.saslMechanisms&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;&lt;tt&gt;security.ldap.bind.saslMechanisms&lt;/tt&gt;&lt;/a&gt; configuration parameter to a mechanism other than &quot;GSSAPI&quot;
&lt;br class=&quot;atl-forced-newline&quot; /&gt;
&lt;br class=&quot;atl-forced-newline&quot; /&gt;&lt;/p&gt;&lt;/li&gt;
	&lt;li&gt;&lt;h5&gt;&lt;a name=&quot;Option3&quot;&gt;&lt;/a&gt;Option 3&lt;/h5&gt;
&lt;p&gt;If MongoDB must perform LDAP authorization against a server it binds to with GSSAPI, and if MongoDB must use GSSAPI to authenticate clients which present plaintext passwords, MongoDB can be configured to use GSSAPI to bind to LDAP servers, but must delegate PLAIN authentication attempts to a saslauthd instance using the &apos;kerberos5&apos; backend. 
&lt;br class=&quot;atl-forced-newline&quot; /&gt;
&lt;br class=&quot;atl-forced-newline&quot; /&gt;
Configure saslauthd to use the &#8216;kerberos5&#8217; backend, consulting the saslauthd documentation as necessary, and configure MongoDB to use it by setting setParameter.saslauthdPath to point to saslauthd&apos;s Unix domain socket.&lt;/p&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;&lt;b&gt;FIX VERSIONS&lt;/b&gt;&lt;br/&gt;
MongoDB 3.6.6 and 3.4.16, &lt;a href=&quot;https://www.mongodb.com/download-center#enterprise&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;available for download&lt;/a&gt;, contain a mitigation for this issue. Since affected deployments will fail to start after an upgrade, administrators must correct their configuration before upgrading as described above.&lt;/p&gt;
&lt;/div&gt;&lt;/div&gt;</description>
                <environment></environment>
        <key id="559786">SERVER-35610</key>
            <summary>Refine LDAP options parsing</summary>
                <type id="3" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14718&amp;avatarType=issuetype">Task</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="spencer.jackson@mongodb.com">Spencer Jackson</assignee>
                                    <reporter username="spencer.jackson@mongodb.com">Spencer Jackson</reporter>
                        <labels>
                    </labels>
                <created>Fri, 15 Jun 2018 00:03:20 +0000</created>
                <updated>Sun, 29 Oct 2023 22:30:46 +0000</updated>
                            <resolved>Fri, 15 Jun 2018 00:12:44 +0000</resolved>
                                                    <fixVersion>3.4.16</fixVersion>
                    <fixVersion>3.6.6</fixVersion>
                    <fixVersion>4.0.0</fixVersion>
                    <fixVersion>4.1.1</fixVersion>
                                    <component>Internal Code</component>
                                        <votes>0</votes>
                                    <watches>8</watches>
                                                                                                                <comments>
                            <comment id="1925373" author="xgen-internal-githook" created="Tue, 19 Jun 2018 19:20:20 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;username&apos;: &apos;spencerjackson&apos;, &apos;name&apos;: &apos;Spencer Jackson&apos;, &apos;email&apos;: &apos;spencer.jackson@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-35610&quot; title=&quot;Refine LDAP options parsing&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-35610&quot;&gt;&lt;del&gt;SERVER-35610&lt;/del&gt;&lt;/a&gt; Refine LDAP options parsing&lt;/p&gt;

&lt;p&gt;(cherry picked from commit bc372f0a85334204f435a09cc178727ec48b5541)&lt;br/&gt;
(cherry picked from commit 75494e7da469302608a263823625d415d475ddb0)&lt;br/&gt;
Branch: v3.4&lt;br/&gt;
&lt;a href=&quot;https://github.com/10gen/mongo-enterprise-modules/commit/65076202d73830200c78d4edd088c4d7a5df475c&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/10gen/mongo-enterprise-modules/commit/65076202d73830200c78d4edd088c4d7a5df475c&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1924267" author="xgen-internal-githook" created="Mon, 18 Jun 2018 21:56:03 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;username&apos;: &apos;spencerjackson&apos;, &apos;name&apos;: &apos;Spencer Jackson&apos;, &apos;email&apos;: &apos;spencer.jackson@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-35610&quot; title=&quot;Refine LDAP options parsing&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-35610&quot;&gt;&lt;del&gt;SERVER-35610&lt;/del&gt;&lt;/a&gt; Refine LDAP options parsing&lt;/p&gt;

&lt;p&gt;(cherry picked from commit bc372f0a85334204f435a09cc178727ec48b5541)&lt;br/&gt;
Branch: v3.6&lt;br/&gt;
&lt;a href=&quot;https://github.com/10gen/mongo-enterprise-modules/commit/75494e7da469302608a263823625d415d475ddb0&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/10gen/mongo-enterprise-modules/commit/75494e7da469302608a263823625d415d475ddb0&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1921378" author="xgen-internal-githook" created="Fri, 15 Jun 2018 00:10:24 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;username&apos;: &apos;spencerjackson&apos;, &apos;name&apos;: &apos;Spencer Jackson&apos;, &apos;email&apos;: &apos;spencer.jackson@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-35610&quot; title=&quot;Refine LDAP options parsing&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-35610&quot;&gt;&lt;del&gt;SERVER-35610&lt;/del&gt;&lt;/a&gt; Refine LDAP options parsing&lt;/p&gt;

&lt;p&gt;(cherry picked from commit bc372f0a85334204f435a09cc178727ec48b5541)&lt;br/&gt;
Branch: v4.0&lt;br/&gt;
&lt;a href=&quot;https://github.com/10gen/mongo-enterprise-modules/commit/975a18a4c889dbb81468232095e61c88a96d3fef&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/10gen/mongo-enterprise-modules/commit/975a18a4c889dbb81468232095e61c88a96d3fef&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="1921375" author="xgen-internal-githook" created="Fri, 15 Jun 2018 00:08:40 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;username&apos;: &apos;spencerjackson&apos;, &apos;name&apos;: &apos;Spencer Jackson&apos;, &apos;email&apos;: &apos;spencer.jackson@mongodb.com&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-35610&quot; title=&quot;Refine LDAP options parsing&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-35610&quot;&gt;&lt;del&gt;SERVER-35610&lt;/del&gt;&lt;/a&gt; Refine LDAP options parsing&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/10gen/mongo-enterprise-modules/commit/bc372f0a85334204f435a09cc178727ec48b5541&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/10gen/mongo-enterprise-modules/commit/bc372f0a85334204f435a09cc178727ec48b5541&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10420">
                    <name>Backports</name>
                                            <outwardlinks description="backported by">
                                                        </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                            <outwardlinks description="depends on">
                                                        </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                                        </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_12450" key="com.atlassian.jira.plugin.system.customfieldtypes:multicheckboxes">
                        <customfieldname>Backport Requested</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="15640"><![CDATA[v4.0]]></customfieldvalue>
    <customfieldvalue key="15141"><![CDATA[v3.6]]></customfieldvalue>
    <customfieldvalue key="14340"><![CDATA[v3.4]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10011"><![CDATA[Minor Change]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[500A000000bS00nIAC]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Fri, 15 Jun 2018 00:08:40 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        5 years, 34 weeks, 1 day ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[<s><a href='https://jira.mongodb.org/browse/WRITING-3018'>WRITING-3018</a></s>]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.bonanomi@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            5 years, 34 weeks, 1 day ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>xgen-internal-githook</customfieldvalue>
            <customfieldvalue>spencer.jackson@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hu0omn:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|htrjhj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="2323">Platforms 2018-06-18</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11861" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>User Summary</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="11858"><![CDATA[Completed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hu0avz:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>