CVE Vulnerability

CVE-2021-20335

For MongoDB Ops Manager <= 4.2.24 with multiple OM application servers, that have SSL turned on for their MongoDB processes, the upgrade to MongoDB Ops Manager <= 4.4.12 triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. This issue is temporary and eventually corrects itself after MongoDB Ops Manager instances have finished upgrading to MongoDB Ops Manager 4.4. In addition, customers must be running with clientCertificateMode=OPTIONAL / allowConnectionsWithoutCertificates=true to be impacted*.* Customers upgrading from Ops Manager 4.2.X to 4.2.24 and finally to Ops Manager 4.4.13+ are unaffected by this issue.

4.1 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 5.1 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

4.6 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.5

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://docs.opsmanager.mongodb.com/v4.2/release-notes/application/#onprem-server-4-2-23 Vendor Advisory
Configurations

Configuration 1

cpe:2.3:a:mongodb:ops_manager:*:*:*:*:*:*:*:*
Information

Published : 2021-02-11 10:15

Updated : 2021-06-09 03:02

NVD link : CVE-2021-20335

Mitre link : CVE-2021-20335

Products Affected

Mongodb

Ops Manager

CWE
CWE-319

Cleartext Transmission of Sensitive Information