MongoDB’s CTO Jim Scharf writes a straightforward post outlining how the bug was found and how they rolled it out and fixed it. Bravo for a great response and timeline.
The vulnerability was discovered internally by MongoDB Security Engineering as part of our proactive and continuously evolving security program. Over the last several years, we have increased our investment in people, processes, and technology to analyse and improve our codebase continuously. This work is ongoing, and discoveries like this reinforce the importance of sustained focus in this area.
Kudos to them for finding, reporting, and fixing this very serious bug with the level of transparency they did. My big complaint is how poorly communicated how bad this bug is. See this post by Stanislav Kozlovski’s Big Data Stream blog
It allows an attacker to read off any uninitialized heap memory, meaning anything that was allocated to memory from a previous database operation could be read.
The bug was introduced in 20172. It is dead-easy to exploit – it only requires connectivity to the database (no auth needed). It is fixed as of writing, but some EOL versions (3.6, 4.0, 4.2) will not get it.
Being clear about how bad the bug is helps users and administrators understand how they should prioritize fixing these things.