To the UCB-Security community,
This is a notice from the Information Security Office to alert you to a high severity vulnerability that impacts MongoDB Server [1]. Please share this alert internally with IT admins and service owners who run the product so they are aware and know what actions to take to address this vulnerability.
SUMMARY
ISO is aware of a high severity vulnerability that affects MongoDB Server and is being actively exploited. The MongoDB vulnerability allows attackers to gain access to information in the program's memory without the need to authenticate.
IMPACT
The vulnerability can be used to retrieve credentials to the database, session tokens, and query data [2].
WHAT IS VULNERABLE
-
MongoDB 8.2 prior to 8.2.3
-
MongoDB 8.0 prior to 8.0.17
-
MongoDB 7.0 prior to 7.0.28
-
MongoDB 6.0 prior to 6.0.27
-
MongoDB 5.0 prior to 5.0.32
-
MongoDB 4.4 prior to 4.4.30
-
All MongoDB Server 4.2.x versions
-
All MongoDB Server 4.0.x versions
-
All MongoDB Server 3.6.x versions
RECOMMENDATIONS
Upgrade immediately to a patched MongoDB version (8.2.3, 8.0.17, 7.0.28, 6.0.27, 5.0.32, or 4.4.30)
MITIGATION
If you are unable to follow the above recommendations immediately, then as a temporary workaround, you can mitigate the issue by disabling zlib compression [3].
REFERENCES
If you have any questions about the vulnerability or would like some assistance patching or mitigating it, please contact security@berkeley.edu.