A high-severity vulnerability affecting MongoDB Server that was identified last month is now being actively exploited, according to the US Cybersecurity and Infrastructure Security Agency and the Australian Cyber Security Centre.

The MongoDB Security Engineering team identified the security vulnerability on December 12. It impacts MongoDB Server and has become known as Mongobleed due to similarities with earlier vulnerabilities including the Heartbleed vulnerability that leaked data from OpenSSL's memory.

In bleed vulnerabilities, the server unintentionally leaks or "bleeds" portions of uninitialized heap memory to an attacker. The vulnerability originates from how MongoDB processes compressed wire-protocol messages, a feature that is enabled by default. The vulnerability allows an attacker to read off any uninitialized heap memory, meaning anything that was allocated to memory from a previous database operation could be read.

Mongodb rapidly issued a patch for the affected products - MongoDB Server Community and Enterprise editions. The patch means the vulnerability isn't affecting MongoDB Atlas, the managed MongoDB Server offering, or MongoDB's internal systems. 

The patch was shared on MongoDB's community forum on December 23. However, given the timing of the problem coinciding with the holidays, not everyone has patched their systems and the national security agencies say the vulnerability is being exploited on unpatched systems. Older versions of MongoDB Server will not receive the patch, so users of those versions will need to upgrade.

On December 29, CISA  (the US Cybersecurity and Infrastructure Security Agency) added the vulnerability to its catalog, describing it as known exploited. 

Australia's Cyber Security Centre  also said in an advisory that it "is aware of active global exploitation of this vulnerability." 

One problem is that this is an easy vulnerability to exploit; on an unpatched server, the hacker need only connect to the database without any authorization. The hacker establishes many connections to the MongoDB server, maybe tens of thousands a minute. Each connection probes for memory leaks, and when successful the leaked data can be used to reconstruct sensitive information.

Another problem comes from the number of potential targets. Cyber company Wiz estimated that 42% of cloud environments have at least one instance of a version of MongoDB vulnerable to the problem, while Censys estimated around 87,000 potentially vulnerable instances worldwide. 

More Information

MongoDB Website

Patching Info On Mongodb Community Forum

Related Articles

MongoDB Now Does MCP

MongoDB Extends Search And Vector Search

MongoDB Acquires Voyage AI To Add Embedding Models

Two Tools To Elevate Your MongoDB Experience

MongoDB Adds Vector Search

MongoDB 7 Adds Queryable Encryption

MongoDB 6 Adds Encrypted Query Suppor

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Facebook or Linkedin.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info