CVE-2021-20335
SSL may be unexpectedly disabled during upgrade of multiple-server MongoDB Ops Manager
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.
Para MongoDB Ops Manager anteriores o iguales a la versión 4.2.24 con varios servidores de aplicaciones OM, que tienen SSL activado para sus procesos MongoDB, la actualización a MongoDB Ops Manager anteriores o iguales a la versión 4.4.12 desencadena un error en el que Automation piensa que SSL está desactivado, y puede desactivar SSL temporalmente para los miembros del clúster. Este problema es temporal y finalmente se corrige por sí mismo después de que las instancias de MongoDB Ops Manager hayan terminado de actualizarse a MongoDB Ops Manager versión 4.4. Además, los clientes deben estar ejecutando con clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true para verse afectados*.* Los clientes que actualizan de Ops Manager versión 4.2.X a la versión 4.2.24 y finalmente a Ops Manager versión 4.4.13+ no se ven afectados por este problema
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-12-17 CVE Reserved
- 2021-02-11 CVE Published
- 2023-03-08 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-319: Cleartext Transmission of Sensitive Information
CAPEC
References (1)
URL | Tag | Source |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23 | 2024-01-23 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Mongodb Search vendor "Mongodb" | Ops Manager Search vendor "Mongodb" for product "Ops Manager" | >= 4.2.0 <= 4.2.24 Search vendor "Mongodb" for product "Ops Manager" and version " >= 4.2.0 <= 4.2.24" | - |
Affected
|