CVE-2021-20335
published 2021-02-11CVE-2021-20335: For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the…
PriorityP420medium4.6CVSS 3.1
AVAACLPRLUINSUCLILAN
EPSS
0.14%
3.7th percentile
For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mongodb | ops_manager | 4.2.0 – 4.2.24 | — |
| mongodb_inc | mongodb_ops_manager | 4.2 – 4.2.24 | — |
CVSS provenance
nvdv3.14.6MEDIUMCVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
nvdv2.04.1MEDIUMAV:A/AC:L/Au:S/C:P/I:P/A:N
osv4.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4hh4-3rxm-gq3h: For MongoDB Ops Manager 4
ghsa_unreviewed·2022-05-24
CVE-2021-20335 [MEDIUM] CWE-319 GHSA-4hh4-3rxm-gq3h: For MongoDB Ops Manager 4
For MongoDB Ops Manager 4.2.X with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager 4.4.X triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted.
OSV
CVE-2021-20335: For MongoDB Ops Manager versions prior to and including 4
osv·2021-02-11·CVSS 4.6
CVE-2021-20335 [MEDIUM] CVE-2021-20335: For MongoDB Ops Manager versions prior to and including 4
For MongoDB Ops Manager versions prior to and including 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager versions prior to and including 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-02-11
Published