Support for latest version of MongoDB in Ignite web console

classic Classic list List threaded Threaded
3 messages Options
ashfaq ashfaq
Reply | Threaded
Open this post in threaded view
|

Support for latest version of MongoDB in Ignite web console

Hi ,
We have received the below vulnerability for the mongodb version - 3.4.4. 

VAMS :MongoDB Server 3.4.x < 3.4.22, 3.6.x < 3.6.13, 4.0.x < 4.0.9,
4.1.x < 4.1.9 - Improper Authorisation Vulnerability -
SERVER-38984(CVE-2019-2386): SVM-49539

After user deletion in MongoDB Server the improper invalidation of
authorisation sessions allows an authenticated user's session to persist and
become conflated with new accounts, if those accounts reuse the names of
deleted ones. [CVE-2019-2386]

Vendor Affected Components:
MongoDB Server 3.4.x < 3.4.22
MongoDB Server 3.6.x < 3.6.13
MongoDB Server 4.0.x < 4.0.9
MongoDB Server 4.1.x < 4.1.9



I could see that the mongodb version supported in Ignite 2.7.5 is MongoDB
(version >=3.2.x <=3.4.15).
Is there any plans to upgrade the version of the MongoDB to mitigate the
vulnerability 

Regards
Stanislav Lukyanov Stanislav Lukyanov
Reply | Threaded
Open this post in threaded view
|

Re: Support for latest version of MongoDB in Ignite web console

Hi,

I believe support for MongoDB 4.x is already implemented in https://issues.apache.org/jira/browse/IGNITE-10847.
Also, I believe Ignite doesn't require a specific version of MongoDB. Have you tried to install the latest 3.4.x version?

Thanks,
Stan

On Sun, Aug 25, 2019 at 7:04 PM Ashfaq Ahamed MH <[hidden email]> wrote:
Hi ,
We have received the below vulnerability for the mongodb version - 3.4.4. 

VAMS :MongoDB Server 3.4.x &lt; 3.4.22, 3.6.x &lt; 3.6.13, 4.0.x &lt; 4.0.9,
4.1.x &lt; 4.1.9 - Improper Authorisation Vulnerability -
SERVER-38984(CVE-2019-2386): SVM-49539

After user deletion in MongoDB Server the improper invalidation of
authorisation sessions allows an authenticated user's session to persist and
become conflated with new accounts, if those accounts reuse the names of
deleted ones. [CVE-2019-2386]

Vendor Affected Components:
MongoDB Server 3.4.x < 3.4.22
MongoDB Server 3.6.x < 3.6.13
MongoDB Server 4.0.x < 4.0.9
MongoDB Server 4.1.x < 4.1.9



I could see that the mongodb version supported in Ignite 2.7.5 is MongoDB
(version >=3.2.x <=3.4.15).
Is there any plans to upgrade the version of the MongoDB to mitigate the
vulnerability 

Regards
dmagda dmagda
Reply | Threaded
Open this post in threaded view
|

Re: Support for latest version of MongoDB in Ignite web console

GridGain is going to release WebConsole 8.8 soon that will be available free of charge for on-prem and Docker installations. That version doesn't go with any MongoDB-dependencies. Stay tuned.

-
Denis


On Mon, Aug 26, 2019 at 3:10 AM Stanislav Lukyanov <[hidden email]> wrote:
Hi,

I believe support for MongoDB 4.x is already implemented in https://issues.apache.org/jira/browse/IGNITE-10847.
Also, I believe Ignite doesn't require a specific version of MongoDB. Have you tried to install the latest 3.4.x version?

Thanks,
Stan

On Sun, Aug 25, 2019 at 7:04 PM Ashfaq Ahamed MH <[hidden email]> wrote:
Hi ,
We have received the below vulnerability for the mongodb version - 3.4.4. 

VAMS :MongoDB Server 3.4.x &lt; 3.4.22, 3.6.x &lt; 3.6.13, 4.0.x &lt; 4.0.9,
4.1.x &lt; 4.1.9 - Improper Authorisation Vulnerability -
SERVER-38984(CVE-2019-2386): SVM-49539

After user deletion in MongoDB Server the improper invalidation of
authorisation sessions allows an authenticated user's session to persist and
become conflated with new accounts, if those accounts reuse the names of
deleted ones. [CVE-2019-2386]

Vendor Affected Components:
MongoDB Server 3.4.x < 3.4.22
MongoDB Server 3.6.x < 3.6.13
MongoDB Server 4.0.x < 4.0.9
MongoDB Server 4.1.x < 4.1.9



I could see that the mongodb version supported in Ignite 2.7.5 is MongoDB
(version >=3.2.x <=3.4.15).
Is there any plans to upgrade the version of the MongoDB to mitigate the
vulnerability 

Regards