Bug 2035009 (CVE-2021-20330)
| Summary: | CVE-2021-20330 mongodb: specific replication command with malformed oplog entries can crash secondaries | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bkearney |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | mongodb 4.9.0, mongodb 4.2.16, mongodb 4.0.27, mongodb 4.4.9 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A denial of service attack was found in MongoDB. An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2035293 | ||
| Bug Blocks: | 2035010 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-12-22 17:31:49 UTC
Upstream patch: * (v4.0) https://github.com/mongodb/mongo/commit/cbec187266a9f902b3906ae8ccef2bbda0c5b27b * (v4.2) https://github.com/mongodb/mongo/commit/865eccaf35aca29d1b71764d50227cdf853752d0 * (v4.4) https://github.com/mongodb/mongo/commit/7e053b675b100a31092e5a195e4549712c0966ce We are not planning on fixing this issue in RHUI because it affects version 3, which is in maintenance mode and will be EOL in March 2023. See RHUI lifecycle here for more information - https://access.redhat.com/support/policy/updates/rhui |