<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 06:16:28 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[SERVER-70549] Speculative authentication with SCRAM-SHA-256 disabled on mongod creates audit message</title>
                <link>https://jira.mongodb.org/browse/SERVER-70549</link>
                <project id="10000" key="SERVER">Core Server</project>
                    <description>&lt;p&gt;When running with SCRAM-SHA-256 &lt;em&gt;not&lt;/em&gt; enabled on a mongod server, speculative authentication attempts with SCRAM-SHA-256 cause audit messages to be logged indicating authentication failures (result code 18). &lt;/p&gt;

&lt;p&gt;This is undesirable, as the appearance of an authentication failure message in the audit log can be taken as an indication that someone is actually trying to login with a bad password. &lt;/p&gt;

&lt;p&gt;The ask here is to stop triggering audit events for speculative authentication failures. &lt;/p&gt;</description>
                <environment></environment>
        <key id="2158656">SERVER-70549</key>
            <summary>Speculative authentication with SCRAM-SHA-256 disabled on mongod creates audit message</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13201">Fixed</resolution>
                                        <assignee username="militsa.sotirova@mongodb.com">Militsa Sotirova</assignee>
                                    <reporter username="spencer.brown@mongodb.com">Spencer Brown</reporter>
                        <labels>
                    </labels>
                <created>Thu, 13 Oct 2022 16:57:02 +0000</created>
                <updated>Sun, 29 Oct 2023 21:31:56 +0000</updated>
                            <resolved>Thu, 12 Jan 2023 16:08:59 +0000</resolved>
                                    <version>4.4.16</version>
                                    <fixVersion>6.3.0-rc0</fixVersion>
                                                        <votes>0</votes>
                                    <watches>7</watches>
                                                                                                                <comments>
                            <comment id="5109340" author="xgen-internal-githook" created="Thu, 12 Jan 2023 16:04:56 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Militsa Sotirova&apos;, &apos;email&apos;: &apos;militsa.sotirova@mongodb.com&apos;, &apos;username&apos;: &apos;militsasotirova&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-70549&quot; title=&quot;Speculative authentication with SCRAM-SHA-256 disabled on mongod creates audit message&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-70549&quot;&gt;&lt;del&gt;SERVER-70549&lt;/del&gt;&lt;/a&gt; Fix AuthenticationSession logic&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/mongodb/mongo/commit/a8d5b7a8a8298b00a069f648b9d3f8734812e49e&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/mongodb/mongo/commit/a8d5b7a8a8298b00a069f648b9d3f8734812e49e&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="5109339" author="xgen-internal-githook" created="Thu, 12 Jan 2023 16:04:53 +0000"  >&lt;p&gt;Author:&lt;/p&gt;
{&apos;name&apos;: &apos;Militsa Sotirova&apos;, &apos;email&apos;: &apos;militsa.sotirova@mongodb.com&apos;, &apos;username&apos;: &apos;militsasotirova&apos;}
&lt;p&gt;Message: &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-70549&quot; title=&quot;Speculative authentication with SCRAM-SHA-256 disabled on mongod creates audit message&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-70549&quot;&gt;&lt;del&gt;SERVER-70549&lt;/del&gt;&lt;/a&gt; Fix AuthenticationSession logic&lt;br/&gt;
Branch: master&lt;br/&gt;
&lt;a href=&quot;https://github.com/10gen/mongo-enterprise-modules/commit/e887c768db4dc3a1398729b195abe8785fd03f38&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://github.com/10gen/mongo-enterprise-modules/commit/e887c768db4dc3a1398729b195abe8785fd03f38&lt;/a&gt;&lt;/p&gt;</comment>
                            <comment id="5049771" author="sara.golemon" created="Tue, 13 Dec 2022 00:05:41 +0000"  >&lt;p&gt;Oh, it should be noted that for clients experiencing this spurious log warning/audit, they can instruct their clients to use a URI which includes the authentication mechanism.&#160; e.g.&#160; &#160;`mongodb://alice:secret@server1:27017/admin?authenticationMechanism=SCRAM-SHA-1 . The client/driver should then speculate saslStart using the correct mechanism.&lt;/p&gt;</comment>
                            <comment id="5048558" author="sara.golemon" created="Mon, 12 Dec 2022 18:30:00 +0000"  >&lt;p&gt;Just want to clarify that the goal here is for the speculative failure to not cause the logging IF AND ONLY IF it subsequently succeeds for the same user via saslStart/saslContinue ?&lt;/p&gt;

&lt;p&gt;I don&apos;t want to see a blanket skip on the auth failure as that opens an avenue for brute forcing.&lt;/p&gt;</comment>
                            <comment id="4919945" author="spencer.jackson@10gen.com" created="Fri, 21 Oct 2022 22:01:03 +0000"  >&lt;p&gt;I expected this to have been resolved by &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-52863&quot; title=&quot;Instantiate AuthenticationSession during SASL mechanism negotiation&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-52863&quot;&gt;&lt;del&gt;SERVER-52863&lt;/del&gt;&lt;/a&gt;, but I just reproduced this on the master branch. Since &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-52863&quot; title=&quot;Instantiate AuthenticationSession during SASL mechanism negotiation&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-52863&quot;&gt;&lt;del&gt;SERVER-52863&lt;/del&gt;&lt;/a&gt;, the server&apos;s AuthenticationSession gets created during &lt;tt&gt;hello&lt;/tt&gt;&apos;s SASL mechanism negotiation. It seems that failed speculation is causing the AuthenticationSession to get torn down and re-created, producing an audit event as a side effect.&lt;/p&gt;

&lt;p&gt;Failed speculative auth should not be considered an error by the AuthenticationSession, nor produce an audit event. The session should remain active, until a subsequent &lt;tt&gt;hello&lt;/tt&gt;, definitively auth exchange, or if the Client it&apos;s attached to is destroyed.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10520">
                    <name>Problem/Incident</name>
                                            <outwardlinks description="causes">
                                                        </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                <customfield id="customfield_10050" key="com.atlassian.jira.toolkit:comments">
                        <customfieldname># Replies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>5.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18555" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname># of Sprints</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>4.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_12751" key="com.atlassian.jira.plugin.system.customfieldtypes:multiselect">
                        <customfieldname>Assigned Teams</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="25129"><![CDATA[Server Security]]></customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_10011" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Backwards Compatibility</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10038"><![CDATA[Fully Compatible]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_13552" key="com.go2group.jira.plugin.crm:crm_generic_field">
                        <customfieldname>Case</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[[5006R00001oGWfvQAG]]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                            <customfield id="customfield_10055" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>Date of 1st Reply</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Fri, 21 Oct 2022 22:01:03 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10052" key="com.atlassian.jira.toolkit:dayslastcommented">
                        <customfieldname>Days since reply</customfieldname>
                        <customfieldvalues>
                                        1 year, 3 weeks, 6 days ago
    
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_18254" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Dependencies</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue><![CDATA[]]></customfieldvalue>


                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_17050" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Downstream Team Attention</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="16941"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10057" key="com.atlassian.jira.toolkit:lastusercommented">
                        <customfieldname>Last comment by Customer</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>true</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10056" key="com.atlassian.jira.toolkit:lastupdaterorcommenter">
                        <customfieldname>Last commenter</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>luke.bonanomi@mongodb.com</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_11151" key="com.atlassian.jira.toolkit:LastCommentDate">
                        <customfieldname>Last public comment date</customfieldname>
                        <customfieldvalues>
                            1 year, 3 weeks, 6 days ago
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_16465" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Linked BF Score</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>141.0</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10032" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Operating System</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10026"><![CDATA[ALL]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_10051" key="com.atlassian.jira.toolkit:participants">
                        <customfieldname>Participants</customfieldname>
                        <customfieldvalues>
                                        <customfieldvalue>xgen-internal-githook</customfieldvalue>
            <customfieldvalue>militsa.sotirova@mongodb.com</customfieldvalue>
            <customfieldvalue>sara.golemon@mongodb.com</customfieldvalue>
            <customfieldvalue>spencer.brown@mongodb.com</customfieldvalue>
            <customfieldvalue>spencer.jackson@mongodb.com</customfieldvalue>
    
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                        <customfield id="customfield_14254" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Product Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i1dztr:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hr9fji:i</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_23361" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Requested By</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                            <customfield id="customfield_22250" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Special Downgrade Instructions Required</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="23343"><![CDATA[Not Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10557" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue id="6602">Security 2022-12-12</customfieldvalue>
    <customfieldvalue id="6603">Security 2022-12-26</customfieldvalue>
    <customfieldvalue id="6632">Security 2023-01-09</customfieldvalue>
    <customfieldvalue id="6633">Security 2023-01-23</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                        <customfield id="customfield_10750" key="com.atlassian.jira.plugin.system.customfieldtypes:textarea">
                        <customfieldname>Steps To Reproduce</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>&lt;ul&gt;
	&lt;li&gt;Run a standalone server 4.4.x with auditing enabled (no filter), setParameter authenticationMechanisms has SCRAM-SHA-1 but &lt;em&gt;not&lt;/em&gt; SCRAM-SHA-256.&lt;/li&gt;
	&lt;li&gt;Create a test SCRAM user and authenticate with that user in mongosh.&lt;/li&gt;
	&lt;li&gt;In the mongod log, notice there is a speculative authentication attempt against SCRAM-SHA 256 from the node.js driver even though it&apos;s disabled at the server.&lt;/li&gt;
	&lt;li&gt;In the audit log, notice an audit log message for the SCRAM-SHA-256 speculative login attempt with result code 18.&lt;/li&gt;
&lt;/ul&gt;
</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10053" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>Time In Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_22870" key="com.onresolve.jira.groovy.groovyrunner:scripted-field">
                        <customfieldname>Triagers</customfieldname>
                        <customfieldvalues>
                                

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_14350" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>serverRank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>1|i1dlz3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>