An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to 4.2.14; MongoDB Server v4.4 versions prior to 4.4.6. Reference: https://jira.mongodb.org/browse/SERVER-36263
Upstream patch: * (v4.0) https://github.com/mongodb/mongo/commit/cbec187266a9f902b3906ae8ccef2bbda0c5b27b * (v4.2) https://github.com/mongodb/mongo/commit/865eccaf35aca29d1b71764d50227cdf853752d0 * (v4.4) https://github.com/mongodb/mongo/commit/7e053b675b100a31092e5a195e4549712c0966ce
We are not planning on fixing this issue in RHUI because it affects version 3, which is in maintenance mode and will be EOL in March 2023. See RHUI lifecycle here for more information - https://access.redhat.com/support/policy/updates/rhui