Bug 1948726 (CVE-2020-7924)

Summary: CVE-2020-7924 mongodb: sslAllowInvalidHostnames bypass ssl/tls server certification validation entirely
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: athomas, databases-maint, dbecker, hhorak, jjoyce, jorton, jschluet, lhh, lpeer, mburns, panovotn, sclewis, slinaber, ytale
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A validation flaw was found in mongodb. Due to the incorrect behavior of a specific command-line parameter in MongoDB Tools, which was originally intended to just skip hostname checks, all certificate validations by MongoDB could be skipped. The highest threat from this vulnerability is to data integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-16 16:46:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1948727    

Description Pedro Sampaio 2021-04-12 20:07:40 UTC 
Usage of specific command line parameter in MongoDB Tools which was originally intended to just skip hostname checks, may result in MongoDB skipping all certificate validation. This may result in accepting invalid certificates.This issue affects: MongoDB Inc. MongoDB Database Tools 3.6 versions later than 3.6.5; 3.6 versions prior to 3.6.21; 4.0 versions prior to 4.0.21; 4.2 versions prior to 4.2.11; 100 versions prior to 100.2.0. MongoDB Inc. Mongomirror 0 versions later than 0.6.0.

References:

https://jira.mongodb.org/browse/TOOLS-2587
Comment 1 Anten Skrabec 2021-04-14 21:12:25 UTC 
Statement:

In Red Hat OpenStack Platform, because the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP mongodb package.
Comment 2 Anten Skrabec 2021-04-14 23:29:15 UTC 
External References:

https://jira.mongodb.org/browse/TOOLS-2587
Comment 3 Anten Skrabec 2021-04-14 23:30:03 UTC 
Upstream Patch: 

https://github.com/mongodb/mongo-tools/commit/8c1800b5155084f954a39a1f2f259efac3bb86de
Comment 6 Product Security DevOps Team 2021-04-16 16:46:35 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-7924