Skip to main content
Delphix

TB103 Source Mongo Instance Password is Visible on the Staging Host in "ps" Output

 

 

 

Alert Type

Security

Impact

Severity (NVD): High

Delphix CVSS v3.1 Score:  8.8

Vector:

Attack Vector (AV): L

Attack Complexity (AC): L

Privileges Required (PR): L

User Interaction (UI): N

Scope (S): C

Confidentiality (C): H

Integrity (I): H

Availability (A): H

The Continuous Data MongoDB Select Connector discloses the credential that it uses to connect to the source on the process command line which is visible in the process list to a local user on the staging host.

In addition, the documentation for the Continuous Data MongoDB Select Connector previously recommended a configuration of excess privilege to the source for the user that invokes the mongodump command which could allow the MongoDB service to be stopped or the data to be damaged or altered.

Contributing Factors

This article applies to the following products and versions, with the following clarifications:

  • All versions of Continuous Data using the Mongo Select Connector up to v1.1.0.1 are affected.

  • Supported releases” includes releases in Extended Support. 

  • Releases that are out of support are not checked for vulnerability applicability.

Continuous Data (formerly Virtualization)

Continuous Data is only affected if the MongoDB plugin has been added and there is an active MongoDB source.

Continuous Data may be configured in a variety of different ways all of which are susceptible to this issue. For clarity, each is listed below.

Affected

Configuration

Notes

Yes*

Continuous Data

* Only affected if the MongoDB select connector is in use.

Yes*

Cloud Engine

* Only affected if the MongoDB select connector is in use.

Yes*

Continuous Vault

* Only affected if the MongoDB select connector is in use.

Select Connectors

Connectors are versioned separately from Continuous Data. 

All MongoDB Select Connector versions prior up to 1.1.0.1 are affected.

Continuous Compliance (formerly Masking)

N/A

Containerized Masking

N/A

Hyperscale Compliance

N/A

Data Control Tower

N/A

Delphix Compliance Services

N/A

Mitigation

Multiple mitigation steps are available and recommended:

  1. Limit local user access to the staging host. This may include a selection of the following options:

    1. Strong option: Employ manual procedures and/or automated tooling such as Privileged Identity Management / Privileged Access Management(PIM/PAM) solutions to broker ‘break glass’ access to the staging host to only authorized individuals on an as needed basis (i.e. no persistent access privilege).

    2. Moderate option: restrict local user access to the staging host to only a few trusted administrators.

  2. Adjust the privileges of the MongoDB user used by the Select Connector to connect to the source:

    1. Remove `clusterAdmin` and replace with `backup`.

  3. Implement Authentication Restrictions on the MongoDB user used by the select connector to connect to the dSource.

    1. Restrict connections for the user to only be permitted when originating from the IP address of the staging host.

Resolution

This issue is resolved in Delphix MongoDB Select Connector release 1.2.0.

Update your MongoDB Select Connectors to this latest release v1.2.0 on all affected Continuous Data, Cloud Engine and Continuous Vault. Update/reduce the permissions of the MongoDB user used by the select connector to connect to the dSource according to the updated documentation for Source Requirements.

Additional Information