Bug 1848563 (CVE-2020-7921)

Summary: CVE-2020-7921 mongodb: Improper serialization permits bypass of IP based authentication restrictions
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, athomas, bbuckingham, bcourt, bkearney, btotty, clalancette, databases-maint, hhorak, hhudgeon, jjoyce, jorton, jschluet, lhh, lpeer, lzap, mburns, mmccune, mskalicky, nmoumoul, panovotn, rchan, rjerrido, rschiron, sclewis, slinaber, sokeeffe, strobert, tdawson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mongodb 3.6.18, mongodb 4.0.15, mongodb 4.2.3, mongodb 4.3.3 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in MongoDB, where an update operation on a user-define role clears the authenticationRestrictions field that was previously set. This unexpected behavior may remove previous IP based restrictions configured on a role, thus allowing a user to bypass them once the update operation is performed.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 10:13:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1852534, 1852748, 1852749, 1852750    
Bug Blocks: 1848565    

Description Marian Rehak 2020-06-18 14:23:59 UTC 
Improper serialization of internal state in the authentication subsystem in MongoDB Server's permits a user with valid credentials to bypass authentication restrictions protection mechanisms as a result of administrative actions on one of the user's roles. This issue affects: MongoDB Inc. MongoDB Server 4.2 versions prior to 4.2.3; 4.0 versions prior to 4.0.15; 4.3 versions prior to 4.3.3; 3.6 versions prior to 3.6.18.

Upstream Reference:

https://jira.mongodb.org/browse/SERVER-45472
Comment 1 Summer Long 2020-06-19 01:57:29 UTC 
External References:

https://www.mongodb.com/alerts#security-related
Comment 4 Summer Long 2020-06-19 01:58:09 UTC 
Mitigation:

There is no known mitigation for this issue, the flaw can only be resolved by applying updates.
Comment 5 Riccardo Schirone 2020-06-30 16:17:36 UTC 
Created mongodb tracking bugs for this issue:

Affects: epel-all [bug 1852534]
Comment 7 Yadnyawalk Tale 2020-07-01 08:43:26 UTC 
Upstream fixes:

master: https://github.com/mongodb/mongo/commit/521e56b407ac72bc69a97a24d1253f51a5b6e81b
4.2:  https://github.com/mongodb/mongo/commit/a10d0a22d5d009d27664967181042933ec1bef36
4.0:  https://github.com/mongodb/mongo/commit/fb87cc88ecb5d300f14cda7bc238d7d5132118f5
3.6:  https://github.com/mongodb/mongo/commit/a93cfd354467981c9cf944a4ada748d0226fdfb0
Comment 11 Riccardo Schirone 2020-07-02 14:57:35 UTC 
authenticationRestrictions is an authentication mechanism that can be defined in Roles, to limit the IP addresses a client can connect from/to. For example, if a user tries to connect from an address not specified in authenticationRestrictions.clientSource, the connection will be denied.

When an admin does some operations on a role with the authenticationRestrictions field set, the authenticationRestrictions value is not correctly serialized and it can be cleared. For example, by updating another field of a given role (e.g. privileges field) according to the documentation only that field should be replaced. However, due to this flaw the authenticationRestrictions field becomes empty, allowing an user with this role to effectively bypass the original intention of the admin.
Comment 12 Riccardo Schirone 2020-07-02 19:28:33 UTC 
This flaw is only relevant if authenticationRestrictions field on a user-defined role is defined and the mongod server is not bound to localhost only. By default, Red Hat Software Collections MongoDB is configured to listen on localhost only (127.0.0.1) thus only users on the local machine can connect to the MongoDB server. Moreover, the user-defined role must be updated to trigger the vulnerable behaviour which disables the authenticationRestrictions mechanism. An attacker cannot bypass the authentication until a user with the proper privileges update the role.
Comment 13 Riccardo Schirone 2020-07-02 19:30:01 UTC 
Statement:

Red Hat Satellite 6.6 onward does not ship the MongoDB package; however, the product consumes MongoDB from Red Hat Software Collections (RHSCL) for Red Hat Enterprise Linux. Satellite has no plans to update to a version of MongoDB released with a Server Side Public License (SSPL) which includes all versions released after October 16, 2018. Refer to this article for more information: https://access.redhat.com/articles/5767021

This issue did not affect the versions of mongodb as shipped with Red Hat Update Infrastructure 3 as they did not include support for authenticationRestrictions field in roles.
Comment 14 Riccardo Schirone 2020-07-02 19:30:24 UTC 
authenticationRestrictions field was added in MongoDB upstream version 3.6.
Comment 15 Patrik Novotný 2020-07-07 10:31:47 UTC 
The upstream patch is licensed under the SSPL license, which is not compatible with our licensing requirements. Therefore, the patch cannot be applied.

Closing as WONTFIX.
Comment 16 Patrik Novotný 2020-07-07 13:21:19 UTC 
I've managed to close wrong bug. Sorry about that! Reopening..