<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 05:29:49 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-53064] Connections created using transient SSL params should not be stored in the global DBConnectionPool - security risk</title>
                <link>https://jira.mongodb.org/browse/SERVER-53064</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;The global&#160;DBConnectionPool keeps reusable connections. If a connection was created using transient SSL params, it should not be recycled&#160;into this pool, because it can be picked from some other code logic and that will be a security risk.&lt;/p&gt;</description>
                <environment></environment>
        <key id="1551147">SERVER-53064</key>
            <summary>Connections created using transient SSL params should not be stored in the global DBConnectionPool - security risk</summary>
                <type id="3" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14718&amp;avatarType=issuetype">Task</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="andrew.shuvalov@mongodb.com">Andrew Shuvalov</assignee>
                                    <reporter username="andrew.shuvalov@mongodb.com">Andrew Shuvalov</reporter>
                        <labels>
                            <label>pm-1791_milestone-P</label>
                            <label>pm-1791_non-cloud-blocking</label>
                    </labels>
                <created>Tue, 24 Nov 2020 18:30:41 +0000</created>
                <updated>Sun, 29 Oct 2023 22:00:03 +0000</updated>
                            <resolved>Sun, 21 Feb 2021 23:37:38 +0000</resolved>
                                                    <fixVersion>5.0.0</fixVersion>
                                                        <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="3626566" author="xgen-internal-githook" created="Sat, 20 Feb 2021 23:21:04 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Andrew Shuvalov&apos;, &apos;email&apos;: &apos;andrew.shuvalov@mongodb.com&apos;, &apos;username&apos;: &apos;shuvalov-mdb&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-53064&quot; title=&quot;Connections created using transient SSL params should not be stored in the global DBConnectionPool - security risk&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-53064&quot;&gt;&lt;del&gt;SERVER-53064&lt;/del&gt;&lt;/a&gt;: connection created using transient SSL params cannot be recycled&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/5199abc5b9113e310a79d9ec29a5ac6b77ad5682&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/5199abc5b9113e310a79d9ec29a5ac6b77ad5682&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3574576" author="JIRAUSER1256988" created="Wed, 20 Jan 2021 21:25:53 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=spencer.jackson&quot; class=&quot;user-hover&quot; rel=&quot;spencer.jackson&quot;&gt;spencer.jackson&lt;/a&gt;, just want to get your opinion for above. Please don&apos;t worry about the code, just the summary that there is a potential future danger as the code evolves, where putting some protective fences right now will require some more significant refactoring. I can either proceed with agreed priority or close this with &quot;won&apos;t fix&quot;.&lt;/p&gt;</comment>
                            <comment id="3573639" author="JIRAUSER1256988" created="Wed, 20 Jan 2021 15:49:16 +0000"  >&lt;ol&gt;
	&lt;li&gt;I verified the &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=cheahuychou.mao&quot; class=&quot;user-hover&quot; rel=&quot;cheahuychou.mao&quot;&gt;cheahuychou.mao&lt;/a&gt;&#160;assessment above that the recycling the connection to global pool never happens&lt;/li&gt;
	&lt;li&gt;I made an experiment by adding some temporary print statements to the pool `done()` method and ran all tenant migration tests - the log was never printed&lt;/li&gt;
	&lt;li&gt;I actually prepared a fix that will prevent this from happening in the future&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;The reasoning why I still think a fix is necessary: we are only one refactoring away from the security condition being triggered. Indeed we use&#160;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/dfb857953579304273b2737d7c8a094d19d13853/src/mongo/client/connection_string_connect.cpp#L63&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;DBClientConnection::connect&lt;/a&gt;, which is not using global pool. However, I don&apos;t see why a refactoring that would also make using the&#160;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/dfb857953579304273b2737d7c8a094d19d13853/src/mongo/client/connection_string_connect.cpp#L82&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;DBClientReplicaSet::connect&lt;/a&gt;&#160;is impossible. Nobody will ever remember this little detail and the security risk may be introduced by unrelated code changes years down the road. So I&apos;m posting the fix.&lt;/p&gt;</comment>
                            <comment id="3525832" author="JIRAUSER1256988" created="Thu, 10 Dec 2020 20:22:04 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=cheahuychou.mao&quot; class=&quot;user-hover&quot; rel=&quot;cheahuychou.mao&quot;&gt;cheahuychou.mao&lt;/a&gt;&#160;said:&lt;/p&gt;

&lt;p&gt;&quot;I don&#8217;t think this issue exists on the donor side since we use separate NetworkInterfaceTL/ConnectionPool for each migration.&lt;/p&gt;

&lt;p&gt;I also don&apos;t this issue exists on the recipient side. Here is the reasoning:&lt;/p&gt;
&lt;ol&gt;
	&lt;li&gt;&#160;&lt;tt&gt;DBConnectionPool&lt;/tt&gt;&#160;creates each&#160;&lt;tt&gt;DBClientBase&lt;/tt&gt;&#160;connection inside&#160;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/dfb857953579304273b2737d7c8a094d19d13853/src/mongo/client/connpool.cpp#L390&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;DBConnectionPool::get&lt;/a&gt;&#160;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/dfb857953579304273b2737d7c8a094d19d13853/src/mongo/client/connpool.cpp#L275&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;&#160;and&#160;saves it for reuse inside&#160;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/7c51aca7fd085ead0ae3e19d967ff1abf111d13a/src/mongo/client/connpool.cpp#L452&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;DBConnectionPool::release&lt;/a&gt;&#160;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/7c51aca7fd085ead0ae3e19d967ff1abf111d13a/src/mongo/client/connpool.cpp#L144&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;.&#160;&#160;&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;globalConnPool.get&lt;/tt&gt;&#160;and&#160;&lt;tt&gt;globalConnPool.release&lt;/tt&gt;&#160;are only used inside&#160;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/7c51aca7fd085ead0ae3e19d967ff1abf111d13a/src/mongo/client/connpool.cpp#L666&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;ScopedDbConnection&lt;/a&gt;&#160;and&#160;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/322d6dc73aac61c675d00ee0e45bedecbc286f4d/src/mongo/client/dbclient_rs.cpp#L810&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;DBClientReplicaSet&lt;/a&gt;.&lt;/li&gt;
	&lt;li&gt;&lt;tt&gt;TenantMigrationRecipientService&lt;/tt&gt;&#160;calls&#160;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/dfb857953579304273b2737d7c8a094d19d13853/src/mongo/db/repl/tenant_migration_recipient_service.cpp#L269&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;ConnectionString::connect on the donor&#8217;s primary connection string&lt;/a&gt;&#160;so it uses&#160;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/dfb857953579304273b2737d7c8a094d19d13853/src/mongo/client/connection_string_connect.cpp#L63&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;DBClientConnection::connect&lt;/a&gt;&#160;not&#160;&lt;a href=&quot;https://github.com/mongodb/mongo/blob/dfb857953579304273b2737d7c8a094d19d13853/src/mongo/client/connection_string_connect.cpp#L82&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;DBClientReplicaSet::connect&lt;/a&gt;&#160;(&lt;a href=&quot;https://mongodbcr.appspot.com/720780001/diff/726880001/src/mongo/client/connection_string_connect.cpp#newcode73&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;here&lt;/a&gt;&#160;is the code that I had to change to make the recipient use SSL connection to connect to the donor).&quot;&lt;/li&gt;
&lt;/ol&gt;


&lt;p&gt;I will confirm it later when pending SSL related code is submitted, I still want to do an experiment but it requires changes that are not in the repo yet.&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10038"><![CDATA[Fully Compatible]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 27 Jan 2021 02:14:29 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        2 years, 50 weeks, 4 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_17050" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Downstream Team Attention</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="16941"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10857" key="com.pyxis.greenhopper.jira:gh-epic-link">
                        <customfieldname>Epic Link</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>PM-1791</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.bonanomi@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            2 years, 50 weeks, 4 days ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>andrew.shuvalov@mongodb.com</customfieldvalue>
            <customfieldvalue>xgen-internal-githook</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hyiwxj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hyctb3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="4483">Sharding 2021-01-25</customfieldvalue>
    <customfieldvalue id="4485">Sharding 2021-02-22</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hyij6v:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>