Bug 1746132 (CVE-2019-2386)

Summary: CVE-2019-2386 mongodb: Improper invalidation of authorization sessions for deleted users
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, alolivei, athomas, bkearney, clalancette, databases-maint, hhorak, hhudgeon, jjoyce, jorton, jschluet, lhh, lpeer, mburns, mskalick, panovotn, rjerrido, sclewis, slinaber, strobert, tdawson, tomm.momi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mongodb 4.0.9, mongodb 3.6.13, mongodb 3.4.22 Doc Type: If docs needed, set a value
Doc Text:
A session expiration flaw was discovered in MongoDB. After a user is deleted, the session tokens for that user do not expire and can be reused if a new user is created with the same name. An attacker with access to a MongoDB user could exploit this flaw to gain access to the new user account.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:49:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1746133, 1746134, 1746721, 1746722, 1746723, 1747200, 1749418    
Bug Blocks: 1746136    

Description Pedro Sampaio 2019-08-27 18:02:24 UTC 
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.

References:

https://exchange.xforce.ibmcloud.com/vulnerabilities/164984
Comment 1 Pedro Sampaio 2019-08-27 18:02:54 UTC 
Created mongodb tracking bugs for this issue:

Affects: epel-all [bug 1746133]
Affects: fedora-29 [bug 1746134]
Comment 7 Doran Moppert 2019-08-29 07:22:17 UTC 
External References:

https://jira.mongodb.org/browse/SERVER-38984
Comment 8 Doran Moppert 2019-08-29 07:24:58 UTC 
Mitigation:

This vulnerability can be mitigated by either of two administrative practices:

* Whenever a user is deleted, restart all nodes where that user may have an active session
* When a user is deleted, ensure than a new user with the same name will never be created

If your mongodb instance is deployed in a situation where users never need to be deleted, or one of the above mitigations can be applied, this vulnerability can not be exploited.
Comment 10 Anten Skrabec 2019-08-29 22:10:22 UTC 
For this vulnerability to be exploited, an attacker must first gain access and login to a user account. While logged in, an admin must delete that account and then later remake it. Between the time it was deleted and remade, the attacker must not attempt any type of access or the token will be revoked. Once the user has been recreated, the attacker has full access to the remade account.
Comment 12 Riccardo Schirone 2019-09-05 10:33:51 UTC 
Upstream patches:
https://github.com/mongodb/mongo/commit/e55d6e2292e5dbe2f97153251d8193d1cc89f5d7 [master]
https://github.com/mongodb/mongo/commit/6dfb92b1299de04677d0bd2230e89a52eb01003c [v4.0]
https://github.com/mongodb/mongo/commit/db19e7ce84cfd702a4ba9983ee2ea5019f470f82 [v3.6]
https://github.com/mongodb/mongo/commit/64d8e9e1b12d16b54d6a592bae8110226c491b4e [v3.4]
Comment 14 Riccardo Schirone 2019-09-05 14:57:29 UTC 
Statement:

This issue does affect the versions of mongodb as shipped with Red Hat Update Infrastructure for Cloud Providers, but the service is only accessible by users who already have access to the Red Hat Update Appliance (RHUA).