Bug 1871252 (CVE-2020-7923)

Summary: CVE-2020-7923 mongodb: GeoQuery can lead to DoS
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: admiller, athomas, bbuckingham, bcourt, bkearney, btotty, clalancette, databases-maint, gparvin, hhorak, hhudgeon, jjoyce, jorton, jramanat, jschluet, jweiser, kbasil, lhh, lpeer, lzap, mburns, mmccune, mskalicky, nmoumoul, panovotn, rchan, rjerrido, sclewis, slinaber, sokeeffe, stcannon, strobert, tdawson, tfister, thee, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: mongodb 4.5.1, mongodb 4.0.19, mongodb 4.2.8, mongodb 4.4.0-rc7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in mongodb. A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 10:15:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1871959, 1872727, 1872728, 1872729    
Bug Blocks: 1871253    

Description Guilherme de Almeida Suckevicz 2020-08-21 18:57:26 UTC 
A user authorized to perform database queries may cause denial of service by issuing specially crafted queries, which violate an invariant in the query subsystem's support for geoNear. This issue affects: MongoDB Inc. MongoDB Server v4.5 versions prior to 4.5.1; v4.4 versions prior to 4.4.0-rc7; v4.2 versions prior to 4.2.8; v4.0 versions prior to 4.0.19.

Reference:
https://jira.mongodb.org/browse/SERVER-47773
Comment 1 Guilherme de Almeida Suckevicz 2020-08-24 17:18:31 UTC 
Created mongodb tracking bugs for this issue:

Affects: epel-all [bug 1871959]
Comment 7 Riccardo Schirone 2020-08-26 14:02:37 UTC 
Upstream patch:
https://github.com/mongodb/mongo/commit/c8ced6df8f620daaa2e539f192f2eef356c63e9c
Comment 8 Doran Moppert 2020-08-27 02:38:32 UTC 
Red Hat Advanced Cluster Management for Kubernetes includes nodejs mongodb client, which is not affected by this flaw.  the MongoDB server is not included in this product.
Comment 9 Yadnyawalk Tale 2020-08-28 15:06:23 UTC 
Statement:

Red Hat Satellite 6.6 onward does not ship the MongoDB package; however, the product consumes MongoDB from Red Hat Software Collections (RHSCL) for Red Hat Enterprise Linux. Satellite has no plans to update to a version of MongoDB released with a Server Side Public License (SSPL) which includes all versions released after October 16, 2018. Refer to this article for more information: https://access.redhat.com/articles/5767021

Red Hat Update Infrastructure 3 ships an affected version of mongodb, however it does not use GeoQuery and it is not vulnerable to this flaw.
Comment 10 Yadnyawalk Tale 2020-08-28 15:12:01 UTC 
At this time, we have no additional z-streams planned for Red Hat Satellite 6.5.z. Based upon that and that this is a low severity issue, closing this one as wontfix.