// For flags

CVE-2021-20335

SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager

Severity Score

4.6
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.

Para MongoDB Ops Manager anteriores o iguales a la versión 4.2.24 con varios servidores de aplicaciones OM, que tienen SSL activado para sus procesos MongoDB, la actualización a MongoDB Ops Manager anteriores o iguales a la versión 4.4.12 desencadena un error en el que Automation piensa que SSL está desactivado, y puede desactivar SSL temporalmente para los miembros del clúster. Este problema es temporal y finalmente se corrige por sí mismo después de que las instancias de MongoDB Ops Manager hayan terminado de actualizarse a MongoDB Ops Manager versión 4.4. Además, los clientes deben estar ejecutando con clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true para verse afectados*.* Los clientes que actualizan de Ops Manager versión 4.2.X a la versión 4.2.24 y finalmente a Ops Manager versión 4.4.13+ no se ven afectados por este problema

*Credits: N/A
CVSS Scores
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Adjacent
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2020-12-17 CVE Reserved
  • 2021-02-11 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-09-17 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-319: Cleartext Transmission of Sensitive Information
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mongodb
Search vendor "Mongodb"
Ops Manager
Search vendor "Mongodb" for product "Ops Manager"
>= 4.2.0 <= 4.2.24
Search vendor "Mongodb" for product "Ops Manager" and version " >= 4.2.0 <= 4.2.24"
-
Affected