MongoDB 安全公告

MongoDB 安全公告
MongoDB security notice

2022 年 10 月 22 日，TrustedSec 的研究人员发现了一个严重的远程零日漏洞 CVE-2022-4155，影响 Apache ActiveMQ Broker 5.15.0 之前的 5.x、5.16.0 之前的 5.x 或 5.17 之前的 5.x。 0。此漏洞允许经过身份验证且具有主题写入权限的攻击者以 mq-activemq 服务帐户执行任意 shell 命令。成功利用该漏洞可以完全控制系统，具有修改文件、添加具有更高权限的用户、执行程序或完全清除服务器磁盘等功能。通过社会工程技术（鱼叉式网络钓鱼、虚假电子邮件等）成功获取代理服务的有效用户名和密码后，攻击者通常会利用此漏洞通过创建名为“ALL”的主题订阅过滤器来注入自己的有效负载。然后，此类过滤器将匹配发往任何现有目标主题的消息；从而允许此类消息通过自定义过滤器并根据恶意意图进行修改。根据红帽发布的安全公告，Nginx Web 服务器软件容易出现缓冲区溢出缺陷，编号为 CVE-2022-0458（也称为 ZDI_NGINX_ANCHOR）。 9 月 21 日，研究人员发现多个 nginx 版本存在缺陷，影响从 nginx/1.5 到 nginx/1.18 的版本。 nginx/1.18.2 及之前的版本容易受到锚点布局指令中整数溢出导致的拒绝服务 (DoS) 攻击，而 ngxin/1.7 和 ngxin/1.18.1 之间的版本也会受到内存的影响 2019 年添加的 ngx_http_slice_module 功能中存在腐败缺陷。利用这些错误的概念验证在该公告发布的同一天发布。 “Anchor”指令指定一组在其边界内呈现内容的几何锚点。这些范围通常代表网页可见部分之外的不可见区域，可用于广告

许多开发人员更喜欢使用 MongoDB，因为它易于使用且可以灵活地存储和检索非结构化数据。然而，最近围绕 MongoDB 与 Postgres 或 Cassandra 等替代方案相比的许可和性能问题的争议引起了开发人员的担忧。尽管以数百万美元的价格被收购并成功进行了首次公开募股，MongoDB 仍因其“激进的知识产权方法”而受到批评，最终将其许可证更改为 SSPL。此外，虽然 MongoDB 提供了管理分布式系统的优秀工具，但缺乏事务等高级功能。相比之下，Postgres 提供与 JSON 的兼容性，后者提供与 MongoDB 相同的功能，用于以 JSON 格式存储和检索数据，以及外键、ACID 合规性以及跨服务器分区数据的能力等功能。其他选项包括 RocksDB（列族数据库）、Cassandra（分布式 NoSQL 数据库管理系统）和 Redis 哈希存储。最终，使用 MongoDB 与其他选项的决定取决于各种因素，包括需求、成本和专业知识。

12/17/23 - 9:00 PM EST

At this time, we have found no evidence of unauthorized access to MongoDB Atlas clusters. To be clear, we have not identified any security vulnerability in any MongoDB product as a result of this incident. It is important to note that MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems, and we have found no evidence that the Atlas cluster authentication system has been compromised.

We are aware of unauthorized access to some corporate systems that contain customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer. We have notified the affected customer. At this time, we have found no evidence that any other customers’ system logs were accessed.

We are continuing with our investigation, and are working with relevant authorities and forensic firms. MongoDB will update this alert page with additional information as we continue to investigate the matter.

12/16/2023 - 05:25 PM EST

We are experiencing a spike in login attempts resulting in issues for customers attempting to log in to Atlas and our Support Portal. This is unrelated to the security incident. Please try again in a few minutes if you are still having trouble logging in. [The issue involving user login attempts has been resolved as of 10:22 PM EST]

12/16/2023 - 03:00 PM EST

MongoDB is actively investigating a security incident involving unauthorized access to certain MongoDB corporate systems, which includes exposure of customer account metadata and contact information. We detected suspicious activity on Wednesday (Dec. 13th, 2023) evening US Eastern Standard Time, immediately activated our incident response process, and believe that this unauthorized access has been going on for some period of time before discovery. At this time, we are not aware of any exposure to the data that customers store in MongoDB Atlas. Nevertheless, we recommend that customers be vigilant for social engineering and phishing attacks, activate phishing-resistant multi-factor authentication (MFA), and regularly rotate their MongoDB Atlas passwords. MongoDB will update this alert page with additional information as we continue to investigate the matter.

MongoDB 安全公告 MongoDB security notice

MongoDB 安全公告
MongoDB security notice