Bug 1746132 (CVE-2019-2386) - CVE-2019-2386 mongodb: Improper invalidation of authorization sessions for deleted users
Summary: CVE-2019-2386 mongodb: Improper invalidation of authorization sessions for de...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-2386
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1746133 1746134 1746721 1746722 1746723 1747200 1749418
Blocks: 1746136
TreeView+ depends on / blocked
 
Reported: 2019-08-27 18:02 UTC by Pedro Sampaio
Modified: 2023-09-07 20:29 UTC (History)
22 users (show)

Fixed In Version: mongodb 4.0.9, mongodb 3.6.13, mongodb 3.4.22
Clone Of:
Environment:
Last Closed: 2021-10-27 10:49:00 UTC
Embargoed:

Attachments (Terms of Use)

Description Pedro Sampaio 2019-08-27 18:02:24 UTC 
After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.9; v3.6 versions prior to 3.6.13; v3.4 versions prior to 3.4.22.

References:

https://exchange.xforce.ibmcloud.com/vulnerabilities/164984
Comment 1 Pedro Sampaio 2019-08-27 18:02:54 UTC 
Created mongodb tracking bugs for this issue:

Affects: epel-all [bug 1746133]
Affects: fedora-29 [bug 1746134]
Comment 7 Doran Moppert 2019-08-29 07:22:17 UTC 
External References:

https://jira.mongodb.org/browse/SERVER-38984
Comment 8 Doran Moppert 2019-08-29 07:24:58 UTC 
Mitigation:

This vulnerability can be mitigated by either of two administrative practices:

* Whenever a user is deleted, restart all nodes where that user may have an active session
* When a user is deleted, ensure than a new user with the same name will never be created

If your mongodb instance is deployed in a situation where users never need to be deleted, or one of the above mitigations can be applied, this vulnerability can not be exploited.
Comment 10 Anten Skrabec 2019-08-29 22:10:22 UTC 
For this vulnerability to be exploited, an attacker must first gain access and login to a user account. While logged in, an admin must delete that account and then later remake it. Between the time it was deleted and remade, the attacker must not attempt any type of access or the token will be revoked. Once the user has been recreated, the attacker has full access to the remade account.
Comment 12 Riccardo Schirone 2019-09-05 10:33:51 UTC 
Upstream patches:
https://github.com/mongodb/mongo/commit/e55d6e2292e5dbe2f97153251d8193d1cc89f5d7 [master]
https://github.com/mongodb/mongo/commit/6dfb92b1299de04677d0bd2230e89a52eb01003c [v4.0]
https://github.com/mongodb/mongo/commit/db19e7ce84cfd702a4ba9983ee2ea5019f470f82 [v3.6]
https://github.com/mongodb/mongo/commit/64d8e9e1b12d16b54d6a592bae8110226c491b4e [v3.4]
Comment 14 Riccardo Schirone 2019-09-05 14:57:29 UTC 
Statement:

This issue does affect the versions of mongodb as shipped with Red Hat Update Infrastructure for Cloud Providers, but the service is only accessible by users who already have access to the Red Hat Update Appliance (RHUA).
Note You need to log in before you can comment on or make changes to this bug.