Bug 1934236 (CVE-2021-20328) - CVE-2021-20328 mongo-java-driver: client-side field level encryption not verifying KMS host name
Summary: CVE-2021-20328 mongo-java-driver: client-side field level encryption not veri...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20328
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1934237
Blocks: 1934239
TreeView+ depends on / blocked
 
Reported: 2021-03-02 18:32 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-02 16:17 UTC (History)
67 users (show)

Fixed In Version: mongodb-driver 3.11.3, mongodb-driver 3.12.8, mongodb-driver-legacy 4.0.6, mongodb-driver-legacy 4.1.2, mongodb-driver-legacy 4.2.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-16 19:20:13 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0871 0 None None None 2021-03-16 11:58:02 UTC
Red Hat Product Errata RHSA-2021:4767 0 None None None 2021-11-23 10:34:52 UTC
Red Hat Product Errata RHSA-2021:4918 0 None None None 2021-12-02 16:17:47 UTC

Description Guilherme de Almeida Suckevicz 2021-03-02 18:32:31 UTC 
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.

Reference:
https://jira.mongodb.org/browse/JAVA-4017
Comment 1 Guilherme de Almeida Suckevicz 2021-03-02 18:32:56 UTC 
Created mongo-java-driver tracking bugs for this issue:

Affects: fedora-32 [bug 1934237]
Comment 2 Guilherme de Almeida Suckevicz 2021-03-02 18:33:01 UTC 
Created mongo-java-driver tracking bugs for this issue:

Affects: fedora-32 [bug 1934237]
Comment 5 Mark Cooper 2021-03-03 04:41:32 UTC 
According to their docs it the CSFLE was only added in 3.12.0+ but i don't know how that translates to mongo-java-driver [1]. Either way the version shipped with openshift4/presto-container is 3.6.0 and is not affected. 

Additionally looked at the actual code for 3.6.0 and it doesn't seem to contain any of the affected code at all. There are other `socket.connect` calls but they set the `enableHostNameVerification`.

[1] https://docs.mongodb.com/manual/core/security-client-side-encryption/#driver-compatibility-table
Comment 7 Mark Cooper 2021-03-03 04:48:56 UTC 
Upstream fix: https://github.com/mongodb/mongo-java-driver/commit/0b441990d8621979c68a45586187f8a12c003f63
Comment 8 errata-xmlrpc 2021-03-16 11:57:58 UTC 
This issue has been addressed in the following products:

  Red Hat Integration Debezium 1.4.2

Via RHSA-2021:0871 https://access.redhat.com/errata/RHSA-2021:0871
Comment 9 Product Security DevOps Team 2021-03-16 19:20:13 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20328
Comment 12 errata-xmlrpc 2021-11-23 10:34:49 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4767 https://access.redhat.com/errata/RHSA-2021:4767
Comment 13 errata-xmlrpc 2021-12-02 16:17:44 UTC 
This issue has been addressed in the following products:

  Red Hat Integration

Via RHSA-2021:4918 https://access.redhat.com/errata/RHSA-2021:4918
Note You need to log in before you can comment on or make changes to this bug.