A critical vulnerability (CVE-2024-8305) has been identified in the MongoDB Server, which may cause secondaries to crash due to incorrect enforcement of index constraints on secondaries. In extreme cases, multiple secondaries crashing could lead to no primary servers available. This issue affects MongoDB Server v6. versions prior to 6..17, MongoDB Server v7. versions prior to 7..13, and MongoDB Server v7.3 versions prior to 7.3.4.

Details

The vulnerability lies in the prepareUnique() function, which is responsible for enforcing index constraints on secondaries in a MongoDB replication set. In certain situations, the function fails to enforce these constraints correctly, leading to a crash in the secondary servers.

Here is a code snippet showcasing the vulnerable function

function prepareUnique(docs, field) {
    const uniqueValues = new Set();
    docs.forEach(doc => {
        const fieldValue = doc[field];

        if (!fieldValue) {
            return;
        }

        if (uniqueValues.has(fieldValue)) {
            // This is the point where the system should enforce index constraints
            // on the secondary servers, but it fails to do so.
            throw new Error(Duplicate value found for unique index on field '${field}');
        }

        uniqueValues.add(fieldValue);
    });
}

When multiple secondaries crash, the primary server may not be able to elect a new primary, leading to a complete loss of write capability in the replication set.

Here are the original references that discuss the vulnerability and potential exploits

1. Official MongoDB Security Advisory: This advisory from MongoDB's official website provides details about the vulnerability and information on how to update the affected software.
2. CVE-2024-8305 Details and Exploitation: This link leads to the official entry for the CVE-2024-8305 vulnerability in the MITRE database, which includes a summary, affected versions, and references to relevant resources.

Mitigation and Exploit Details

To address this vulnerability, it is recommended to update the MongoDB Server to the latest version, as specified in the security advisory:

For MongoDB Server v7.3 users, update to version 7.3.4 or later.

Moreover, as a best practice, enforce proper access controls and authentication mechanisms to prevent unauthorized access to the MongoDB server.

In conclusion, the CVE-2024-8305 vulnerability presents a significant risk to the stability and functionality of MongoDB replication sets. To mitigate the potential impact, users must update their MongoDB Server to a patched version and follow security best practices to prevent unauthorized access.

Timeline

Published on: 10/21/2024 15:15:04 UTC
Last modified on: 11/07/2024 15:38:32 UTC