TB103 Source Mongo Instance Password is Visible on the Staging Host in "ps" Output
Alert Type
Security
Impact
Severity (NVD): High
Delphix CVSS v3.1 Score: 8.8
The Continuous Data MongoDB Select Connector discloses the credential that it uses to connect to the source on the process command line which is visible in the process list to a local user on the staging host.
In addition, the documentation for the Continuous Data MongoDB Select Connector previously recommended a configuration of excess privilege to the source for the user that invokes the mongodump
command which could allow the MongoDB service to be stopped or the data to be damaged or altered.
Contributing Factors
This article applies to the following products and versions, with the following clarifications:
-
All versions of Continuous Data using the Mongo Select Connector up to v1.1.0.1 are affected.
-
“Supported releases” includes releases in Extended Support.
-
Releases that are out of support are not checked for vulnerability applicability.
Continuous Data (formerly Virtualization)
Continuous Data is only affected if the MongoDB plugin has been added and there is an active MongoDB source.
Continuous Data may be configured in a variety of different ways all of which are susceptible to this issue. For clarity, each is listed below.
Affected |
Configuration |
Notes |
---|---|---|
Yes* |
Continuous Data |
* Only affected if the MongoDB select connector is in use. |
Yes* |
Cloud Engine |
* Only affected if the MongoDB select connector is in use. |
Yes* |
Continuous Vault |
* Only affected if the MongoDB select connector is in use. |
Select Connectors
Connectors are versioned separately from Continuous Data.
All MongoDB Select Connector versions prior up to 1.1.0.1 are affected.
Continuous Compliance (formerly Masking)
N/A
Containerized Masking
N/A
Hyperscale Compliance
N/A
Data Control Tower
N/A
Delphix Compliance Services
N/A
Mitigation
Multiple mitigation steps are available and recommended:
-
Limit local user access to the staging host. This may include a selection of the following options:
-
Strong option: Employ manual procedures and/or automated tooling such as Privileged Identity Management / Privileged Access Management(PIM/PAM) solutions to broker ‘break glass’ access to the staging host to only authorized individuals on an as needed basis (i.e. no persistent access privilege).
-
Moderate option: restrict local user access to the staging host to only a few trusted administrators.
-
-
Adjust the privileges of the MongoDB user used by the Select Connector to connect to the source:
-
Remove `clusterAdmin` and replace with `backup`.
-
-
Implement Authentication Restrictions on the MongoDB user used by the select connector to connect to the dSource.
-
Restrict connections for the user to only be permitted when originating from the IP address of the staging host.
-
Resolution
This issue is resolved in Delphix MongoDB Select Connector release 1.2.0.
Update your MongoDB Select Connectors to this latest release v1.2.0 on all affected Continuous Data, Cloud Engine and Continuous Vault. Update/reduce the permissions of the MongoDB user used by the select connector to connect to the dSource according to the updated documentation for Source Requirements.
Additional Information
-
Delphix MongoDB Select Connector documentation on Source Requirements.
-
Documentation on installing and upgrading the Delphix MongoDB Select Connector.
- Version 1.2.0 of the connector can be downloaded from here (https://download.delphix.com > Delphix Product Releases > Select Connectors > MongoDB_Linux > v1.2.0).