Bug 1732358 (CVE-2015-7882)

Summary: CVE-2015-7882 mongodb: improper handling of LDAP authentication leading to unauthorized access
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: admiller, athomas, bbuckingham, bcourt, bkearney, btotty, clalancette, databases-maint, dbecker, hhorak, hhudgeon, jjoyce, jorton, jpacner, jschluet, kbasil, lhh, lpeer, lzap, mburns, mhulan, mmccune, mskalick, panovotn, rchan, rjerrido, sclewis, slinaber, strobert, tdawson, tomm.momi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: enterprise mongodb 3.0.7, enterprise mongodb 3.1.9 Doc Type: If docs needed, set a value
Doc Text:
An authentication issue was found in MongoDB. The improper handling of LDAP authentication in MongoDB Enterprise versions 3.0.0 through 3.0.6 can allow an unauthenticated client to gain unauthorized access. The MongoDB Community Edition is not affected by this vulnerability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-01 13:18:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1732359    
Bug Blocks: 1732360    

Description Marian Rehak 2019-07-23 08:46:29 UTC 
Improper handling of LDAP authentication in MongoDB Server versions 3.0.0 to 3.0.6 allows an unauthenticated client to gain unauthorized access. !Only deployments using LDAP authentication are affected by this vulnerability!

External References:

https://jira.mongodb.org/browse/SERVER-20691
Comment 1 Marian Rehak 2019-07-23 08:46:43 UTC 
Created mongodb tracking bugs for this issue:

Affects: fedora-29 [bug 1732359]
Comment 3 Summer Long 2019-07-24 01:18:20 UTC 
Per upstream notice (https://jira.mongodb.org/browse/SERVER-20691): 
"The Community edition of MongoDB is not affected by this vulnerability."
Comment 9 Riccardo Schirone 2019-08-01 08:10:47 UTC 
Statement:

All versions of the following products which include mongodb include only MongoDB's Community edition, and are therefore not affected by this vulnerability:
* Red Hat OpenStack Platform
* Red Hat Software Collections
* Red Hat Update Infrastructure
Comment 10 Product Security DevOps Team 2019-08-01 13:18:20 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2015-7882