Bug 2035009 (CVE-2021-20330) - CVE-2021-20330 mongodb: specific replication command with malformed oplog entries can crash secondaries
Summary: CVE-2021-20330 mongodb: specific replication command with malformed oplog ent...
Keywords:
Status: NEW
Alias: CVE-2021-20330
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2035293
Blocks: 2035010
TreeView+ depends on / blocked
 
Reported: 2021-12-22 17:31 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-07-07 08:28 UTC (History)
1 user (show)

Fixed In Version: mongodb 4.9.0, mongodb 4.2.16, mongodb 4.0.27, mongodb 4.4.9
Doc Type: If docs needed, set a value
Doc Text:
A denial of service attack was found in MongoDB. An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-12-22 17:31:49 UTC
An attacker with basic CRUD permissions on a replicated collection can run the applyOps command with specially malformed oplog entries, resulting in a potential denial of service on secondaries. This issue affects MongoDB Server v4.0 versions prior to 4.0.25; MongoDB Server v4.2 versions prior to 4.2.14; MongoDB Server v4.4 versions prior to 4.4.6.

Reference:
https://jira.mongodb.org/browse/SERVER-36263

Comment 3 Yadnyawalk Tale 2022-01-27 13:57:57 UTC
We are not planning on fixing this issue in RHUI because it affects version 3, which is in maintenance mode and will be EOL in March 2023. See RHUI lifecycle here for more information - https://access.redhat.com/support/policy/updates/rhui


Note You need to log in before you can comment on or make changes to this bug.