Do people usually run Mongo in a mode that allows unauthenticated calls? I don’t know anything about Mongo. This just seems surprising.
giancarlostoro•2h ago
Its default is to only take connections that are local, usually I have my mongo clients SSH into a mongo server as opposed to opening up the port to the internet. Some Mongo users / collections are very open by default.
It has been a minute since I used Mongo for production grade projects, so some things could have changed since then.
erdaniels•1h ago
No, but it's pretty common IME to create an Atlas cluster that has internet-wide access (0.0.0.0/0) when testing and forgetting to turn this off. According to https://jira.mongodb.org/browse/SERVER-115508, this affects unauthenticated ops. Based on the repro code itself, it looks like this happens way before authentication is checked for the corresponding OP at the OP_MSG decoding level.
So if you're using Atlas, check that your Cluster has auto upgraded already. If you're using 0.0.0.0/0, stop doing that and prefer a limited IP address range and even better, use VPC Peering or other security/network boundary features.
computerfan494•1h ago
We received communication that all Atlas clusters were upgraded with the fix before the vulnerability was announced.
FridgeSeal•1h ago
Current link points straight to the Python code without a lot of context, so here’s the top of the readme:
dpark•2h ago
giancarlostoro•2h ago
It has been a minute since I used Mongo for production grade projects, so some things could have changed since then.
erdaniels•1h ago
So if you're using Atlas, check that your Cluster has auto upgraded already. If you're using 0.0.0.0/0, stop doing that and prefer a limited IP address range and even better, use VPC Peering or other security/network boundary features.
computerfan494•1h ago