<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 05:46:16 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-59071] Using $sample can trigger invariant when connecting directly to shards</title>
                <link>https://jira.mongodb.org/browse/SERVER-59071</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;div class=&quot;panel&quot; style=&quot;background-color: #eeeeee;border-color: #cccccc;border-width: 1px;&quot;&gt;&lt;div class=&quot;panelHeader&quot; style=&quot;border-bottom-width: 1px;border-bottom-color: #cccccc;background-color: #6cb33f;&quot;&gt;&lt;b&gt;CVE-2021-32037&lt;/b&gt;&lt;/div&gt;&lt;div class=&quot;panelContent&quot; style=&quot;background-color: #eeeeee;&quot;&gt;
&lt;p&gt;&lt;b&gt;Title&lt;/b&gt; &lt;br/&gt;
User may trigger invariant when allowed to send commands directly to shards&lt;/p&gt;

&lt;p&gt;&lt;b&gt;CVE ID&lt;/b&gt;&lt;br/&gt;
CVE-2021-32037&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Description&lt;/b&gt;&lt;/p&gt;

&lt;p&gt;An authorized user may trigger an invariant which may result in denial of service or server exit if a relevant aggregation request is sent to a shard. Usually, the requests are sent via mongos and special privileges are required in order to know the address of the shards and to log in to the shards of an auth enabled environment.&lt;/p&gt;

&lt;p&gt;&lt;b&gt;CVSS score&lt;/b&gt;&lt;br/&gt;
 This issue&apos;s CVSS:3.1 severity is scored at 6.5 using the following scoring metrics:&lt;br/&gt;
 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Affected versions&lt;/b&gt;&lt;br/&gt;
MongoDB Server v5.0.0-v5.0.2&lt;/p&gt;

&lt;p&gt;&lt;b&gt;CWE&lt;/b&gt; &lt;br/&gt;
CWE-617: Reachable Assertion&lt;/p&gt;

&lt;p&gt;&lt;b&gt;Underlying operating systems affected&lt;/b&gt;&lt;br/&gt;
 ALL&lt;/p&gt;

&lt;p&gt;&lt;b&gt;How the issue was reported&lt;/b&gt;: &lt;br/&gt;
 Externally&lt;/p&gt;

&lt;p&gt;&lt;b&gt;External Reference link (server ticket)&lt;/b&gt; &lt;br/&gt;
 &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-59071&quot; title=&quot;Using $sample can trigger invariant when connecting directly to shards&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-59071&quot;&gt;&lt;del&gt;SERVER-59071&lt;/del&gt;&lt;/a&gt;&lt;/p&gt;
&lt;/div&gt;&lt;/div&gt;</description>
                <environment></environment>
        <key id="1839996">SERVER-59071</key>
            <summary>Using $sample can trigger invariant when connecting directly to shards</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="eric.cox@mongodb.com">Eric Cox</assignee>
                                    <reporter username="randolph@mongodb.com">Randolph Tan</reporter>
                        <labels>
                    </labels>
                <created>Tue, 3 Aug 2021 18:38:54 +0000</created>
                <updated>Sun, 29 Oct 2023 21:49:58 +0000</updated>
                            <resolved>Wed, 11 Aug 2021 18:36:40 +0000</resolved>
                                    <version>5.0.2</version>
                                    <fixVersion>5.0.3</fixVersion>
                    <fixVersion>5.1.0-rc0</fixVersion>
                                                        <votes>1</votes>
                                    <watches>21</watches>
                                                                                                                <comments>
                            <comment id="4462503" author="renctan" created="Wed, 6 Apr 2022 19:53:04 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=aju.raju%40bnymellon.com&quot; class=&quot;user-hover&quot; rel=&quot;aju.raju@bnymellon.com&quot;&gt;aju.raju@bnymellon.com&lt;/a&gt; This issue didn&apos;t exist before v5.0&lt;/p&gt;</comment>
                            <comment id="4462262" author="JIRAUSER1269350" created="Wed, 6 Apr 2022 18:43:03 +0000"  >&lt;p&gt;Is this addressed in any MongoDB version prior to v5.0 (i.e.: v4.2).&lt;/p&gt;</comment>
                            <comment id="3997334" author="xgen-internal-githook" created="Thu, 12 Aug 2021 14:12:24 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Eric Cox&apos;, &apos;email&apos;: &apos;eric.cox@mongodb.com&apos;, &apos;username&apos;: &apos;ericox&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-59071&quot; title=&quot;Using $sample can trigger invariant when connecting directly to shards&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-59071&quot;&gt;&lt;del&gt;SERVER-59071&lt;/del&gt;&lt;/a&gt; Treat &apos;$sample&apos; as unsharded when connecting directly to shards&lt;/p&gt;

&lt;p&gt;(cherry picked from commit f3604b901d688c194de5e430c7fbab060c9dc8e0)&lt;br/&gt;
Branch: v5.0&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/a5e2f9b0a236462a6d1ca129583c617f111367b4&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/a5e2f9b0a236462a6d1ca129583c617f111367b4&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3995422" author="xgen-internal-githook" created="Wed, 11 Aug 2021 16:20:36 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Eric Cox&apos;, &apos;email&apos;: &apos;eric.cox@mongodb.com&apos;, &apos;username&apos;: &apos;ericox&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-59071&quot; title=&quot;Using $sample can trigger invariant when connecting directly to shards&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-59071&quot;&gt;&lt;del&gt;SERVER-59071&lt;/del&gt;&lt;/a&gt; Treat &apos;$sample&apos; as unsharded when connecting directly to shards&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/f3604b901d688c194de5e430c7fbab060c9dc8e0&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/f3604b901d688c194de5e430c7fbab060c9dc8e0&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3993572" author="xgen-internal-githook" created="Tue, 10 Aug 2021 21:23:50 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Eric Cox&apos;, &apos;email&apos;: &apos;eric.cox@mongodb.com&apos;, &apos;username&apos;: &apos;ericox&apos;}
&lt;p&gt;Message: Revert &quot;&lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-59071&quot; title=&quot;Using $sample can trigger invariant when connecting directly to shards&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-59071&quot;&gt;&lt;del&gt;SERVER-59071&lt;/del&gt;&lt;/a&gt; Treat &apos;$sample&apos; as unsharded when connecting directly to shards&quot;&lt;/p&gt;

&lt;p&gt;This reverts commit f3e8bfb0ea52ae167e097f3f3fd9bf183e6b4a8a.&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/ea7c4aad494ca70edb3a7876226a3f5321fda27b&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/ea7c4aad494ca70edb3a7876226a3f5321fda27b&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3992890" author="xgen-internal-githook" created="Tue, 10 Aug 2021 17:11:17 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Eric Cox&apos;, &apos;email&apos;: &apos;eric.cox@mongodb.com&apos;, &apos;username&apos;: &apos;ericox&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-59071&quot; title=&quot;Using $sample can trigger invariant when connecting directly to shards&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-59071&quot;&gt;&lt;del&gt;SERVER-59071&lt;/del&gt;&lt;/a&gt; Treat &apos;$sample&apos; as unsharded when connecting directly to shards&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/f3e8bfb0ea52ae167e097f3f3fd9bf183e6b4a8a&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/f3e8bfb0ea52ae167e097f3f3fd9bf183e6b4a8a&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="3986524" author="eric.cox" created="Fri, 6 Aug 2021 22:41:32 +0000"  >&lt;p&gt;The fix is pretty simple here and it uses what &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=kaloian.manassiev&quot; class=&quot;user-hover&quot; rel=&quot;kaloian.manassiev&quot;&gt;kaloian.manassiev&lt;/a&gt;&#160;suggests to only try to get the shardFilterer if we have already checked that the collection is sharded via &lt;tt&gt;CollectionShardingState:: getCollectionDescription()-&amp;gt;isSharded()&lt;/tt&gt;. When we direct connect to a shard and try a $sample in an agg pipeline, $sample will now run as if we are running $sample against a single node mongod.&lt;/p&gt;

&lt;p&gt;&#160;&lt;/p&gt;</comment>
                            <comment id="3982301" author="kaloian.manassiev" created="Thu, 5 Aug 2021 07:26:39 +0000"  >&lt;p&gt;Just want to add here that it is the responsibility of $sample to not try to use the orphan filter, if it is not run on a sharded collection. When directly connecting to a shard or executing as a replica set, all collections are &lt;b&gt;unsharded&lt;/b&gt; for all intents and purposes. So I am passing this ticket to the Query Execution team. The fix would be to use &lt;tt&gt;CollectionShardingState:: getCollectionDescription()-&amp;gt;isSharded()&lt;/tt&gt; before deciding to attach the orphan filtering stage.&lt;/p&gt;</comment>
                            <comment id="3978796" author="renctan" created="Tue, 3 Aug 2021 18:45:57 +0000"  >&lt;p&gt;Note: based on my testing, mongos attaches version (0, 0) for unsharded collections, so it doesn&apos;t hit this invariant when using $sample on them.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10420">
                    <name>Backports</name>
                                            <outwardlinks description="backported by">
                                                        </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10520">
                    <name>Problem/Incident</name>
                                            <outwardlinks description="causes">
                                                        </outwardlinks>
                                                        </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                                        </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                            <attachment id="328275" name="test.js" size="555" author="randolph@mongodb.com" created="Tue, 3 Aug 2021 18:57:15 +0000"/>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_12450" key="com.atlassian.jira.plugin.system.customfieldtypes:multicheckboxes">
                        <customfieldname>Backport Requested</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="21777"><![CDATA[v5.0]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10038"><![CDATA[Fully Compatible]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[5002K00000xD99zQAC]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Thu, 5 Aug 2021 07:26:39 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        1 year, 44 weeks ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_17050" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Downstream Team Attention</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="16941"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.bonanomi@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            1 year, 44 weeks ago
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_16465" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Linked BF Score</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>176.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>aju.raju@bnymellon.com</customfieldvalue>
            <customfieldvalue>eric.cox@mongodb.com</customfieldvalue>
            <customfieldvalue>xgen-internal-githook</customfieldvalue>
            <customfieldvalue>kaloian.manassiev@mongodb.com</customfieldvalue>
            <customfieldvalue>randolph@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hzvutj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hzg1xb:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="4713">QE 2021-08-09</customfieldvalue>
    <customfieldvalue id="4715">QE 2021-08-23</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|hzvh2n:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>