Bug 1934236 (CVE-2021-20328)
| Summary: | CVE-2021-20328 mongo-java-driver: client-side field level encryption not verifying KMS host name | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, ahenning, aileenc, aos-bugs, asoldano, atangrin, bbaranow, bibryam, bmaxwell, bmontgom, brian.stansberry, cdewolf, chazlett, darran.lofthouse, databases-maint, dkreling, dosoudil, drieden, eleandro, eparis, extras-orphan, fjuma, ganandan, ggaughan, gmalinko, gmorling, hbraun, hhorak, iweiss, janstey, jburrell, jerboaa, jnethert, jochrist, jokerman, jolee, jorton, jpechane, jperkins, jross, jschatte, jstastny, jwon, krathod, kwills, lef, lgao, mskalicky, msochure, msvehla, nstielau, nwallace, odubaj, pantinor, pjindal, pmackay, pskopek, rguimara, rstancel, rsvoboda, sd-operator-metering, sguilhen, smaestri, sponnaga, tflannag, tom.jenkinson, yborgess |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mongodb-driver 3.11.3, mongodb-driver 3.12.8, mongodb-driver-legacy 4.0.6, mongodb-driver-legacy 4.1.2, mongodb-driver-legacy 4.2.1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-16 19:20:13 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1934237 | ||
| Bug Blocks: | 1934239 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-03-02 18:32:31 UTC
Created mongo-java-driver tracking bugs for this issue: Affects: fedora-32 [bug 1934237] Created mongo-java-driver tracking bugs for this issue: Affects: fedora-32 [bug 1934237] According to their docs it the CSFLE was only added in 3.12.0+ but i don't know how that translates to mongo-java-driver [1]. Either way the version shipped with openshift4/presto-container is 3.6.0 and is not affected. Additionally looked at the actual code for 3.6.0 and it doesn't seem to contain any of the affected code at all. There are other `socket.connect` calls but they set the `enableHostNameVerification`. [1] https://docs.mongodb.com/manual/core/security-client-side-encryption/#driver-compatibility-table Upstream fix: https://github.com/mongodb/mongo-java-driver/commit/0b441990d8621979c68a45586187f8a12c003f63 This issue has been addressed in the following products: Red Hat Integration Debezium 1.4.2 Via RHSA-2021:0871 https://access.redhat.com/errata/RHSA-2021:0871 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20328 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767 This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918 |