Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption. Reference: https://jira.mongodb.org/browse/JAVA-4017
Created mongo-java-driver tracking bugs for this issue: Affects: fedora-32 [bug 1934237]
According to their docs it the CSFLE was only added in 3.12.0+ but i don't know how that translates to mongo-java-driver [1]. Either way the version shipped with openshift4/presto-container is 3.6.0 and is not affected. Additionally looked at the actual code for 3.6.0 and it doesn't seem to contain any of the affected code at all. There are other `socket.connect` calls but they set the `enableHostNameVerification`. [1] https://docs.mongodb.com/manual/core/security-client-side-encryption/#driver-compatibility-table
Upstream fix: https://github.com/mongodb/mongo-java-driver/commit/0b441990d8621979c68a45586187f8a12c003f63
This issue has been addressed in the following products: Red Hat Integration Debezium 1.4.2 Via RHSA-2021:0871 https://access.redhat.com/errata/RHSA-2021:0871
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20328
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
This issue has been addressed in the following products: Red Hat Integration Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918