<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 05:49:17 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-60230] MongoDB aduit filter for drop collection can be bypassed</title>
                <link>https://jira.mongodb.org/browse/SERVER-60230</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;MongoDB server version: 4.4.1&lt;br/&gt;
CentOS Linux release 7.6.1810 (Core)&lt;/p&gt;

&lt;p&gt;&#160;&lt;br/&gt;
MongoDB audit filter is able to audit the createCollection and dropCollection actions.&lt;br/&gt;
But with method db.dropDatabase, the attacker could bypass the audit filter by removing the current database.&lt;/p&gt;</description>
                <environment></environment>
        <key id="1884002">SERVER-60230</key>
            <summary>MongoDB aduit filter for drop collection can be bypassed</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="3">Duplicate</resolution>
                                        <assignee username="eric.sedor@mongodb.com">Eric Sedor</assignee>
                                    <reporter username="zhuqiangtj@gmail.com">Zhu Eddie</reporter>
                        <labels>
                            <label>Bug</label>
                    </labels>
                <created>Mon, 27 Sep 2021 07:53:43 +0000</created>
                <updated>Mon, 18 Oct 2021 17:54:34 +0000</updated>
                            <resolved>Mon, 18 Oct 2021 17:54:34 +0000</resolved>
                                    <version>4.4.1</version>
                                                                        <votes>0</votes>
                                    <watches>2</watches>
                                                                                                                <comments>
                            <comment id="4108775" author="eric.sedor" created="Wed, 6 Oct 2021 21:08:25 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=zhuqiangtj%40gmail.com&quot; class=&quot;user-hover&quot; rel=&quot;zhuqiangtj@gmail.com&quot;&gt;zhuqiangtj@gmail.com&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;This looks like it may have been addressed for standalone nodes MongoDB 5.0, in &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-50994&quot; title=&quot;Audit of dropCollection during dropDatabase&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-50994&quot;&gt;&lt;del&gt;SERVER-50994&lt;/del&gt;&lt;/a&gt;, which ensures that standalone node types (mongos, mongod in standalone mode) always audit these operations as part of auditing a dropDatabase operation.&lt;/p&gt;

&lt;p&gt;It sounds like you are seeing this behavior on a standalone node (versus a replica set node), is that right? If so, you should be able to either upgrade to MongoDB 5.0 or run on version 4.4 as a replica set.&lt;/p&gt;

&lt;p&gt;Does this help?&lt;/p&gt;

&lt;p&gt;Eric&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                            <outwardlinks description="duplicates">
                                        <issuelink>
            <issuekey id="1477909">SERVER-50994</issuekey>
        </issuelink>
                            </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Fri, 1 Oct 2021 22:40:26 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        2 years, 18 weeks ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>eric.sedor@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            2 years, 18 weeks ago
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>eric.sedor@mongodb.com</customfieldvalue>
            <customfieldvalue>zhuqiangtj@gmail.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i039kv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hzn2bj:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10750" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Steps To Reproduce</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>&lt;p&gt;1. Specify the filter in mongodB cofiguration file.&lt;br/&gt;
filter: &apos;{ atype:&lt;/p&gt;

{ $in: [ &quot;createCollection&quot;, &quot;dropCollection&quot; ] }

&lt;p&gt;}&apos;&lt;/p&gt;

&lt;p&gt;2.Open a session, watch for any audit log change:&lt;br/&gt;
tail -f auditLog.bson&lt;/p&gt;

&lt;p&gt;3.Open another session and login as root&lt;br/&gt;
mongo admin -u admin -p 123456&lt;/p&gt;

&lt;p&gt;4. Add a new database test&lt;br/&gt;
MongoDB Enterprise &amp;gt; use test&lt;br/&gt;
switched to db test&lt;/p&gt;

&lt;p&gt;5. Create a collection, as you can see, the audit log will have the relevant entry.&lt;br/&gt;
MongoDB Enterprise &amp;gt; db.t1.insert({name:&apos;david&apos;})&lt;br/&gt;
WriteResult({ &quot;nInserted&quot; : 1 })&lt;/p&gt;

&lt;p&gt;6. Drop a collection, the audit filter also works well.&lt;br/&gt;
db.t1.drop()&lt;br/&gt;
true&lt;/p&gt;

&lt;p&gt;7. Create the collection again&lt;br/&gt;
MongoDB Enterprise &amp;gt; db.t1.insert({name:&apos;david&apos;})&lt;br/&gt;
WriteResult({ &quot;nInserted&quot; : 1 })&lt;/p&gt;

&lt;p&gt;8.Show Collections&lt;br/&gt;
MongoDB Enterprise &amp;gt; show collections&lt;br/&gt;
t1&lt;/p&gt;

&lt;p&gt;9. Drop database test&lt;br/&gt;
MongoDB Enterprise &amp;gt; db.dropDatabase()&lt;/p&gt;

{ &quot;dropped&quot; : &quot;test&quot;, &quot;ok&quot; : 1 }

&lt;p&gt;10.&lt;br/&gt;
MongoDB Enterprise &amp;gt; db.getName()&lt;br/&gt;
test&lt;/p&gt;

&lt;p&gt;11.Show Collections&lt;br/&gt;
MongoDB Enterprise &amp;gt; show collections&lt;/p&gt;

&lt;p&gt;As you can see, after dropping the database, the collection is removed cascadingly without leave any audit entry.&lt;/p&gt;</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                    <customfieldvalue><![CDATA[eric.sedor@mongodb.com]]></customfieldvalue>
    

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i02vq7:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>