22 comments

[ 3.3 ms ] story [ 48.7 ms ] thread
How often are mongo instances exposed to the internet? I'm more of an SQL person and for those I know it's pretty uncommon, but does happen.
I'm still thinking about the hypothetical optimism brought by OWASP top 10 hoping that major flaws will be solved and that buffer overflow has been there since the beginning... in 2003.
A few years back I patched the memory allocator used by the Cloudflare Workers runtime to overwrite all memory with a static byte pattern on free, so that uninitialized allocations contain nothing interesting.

We expected this to hurt performance, but we were unable to measure any impact in practice.

Everyone still working in memory-unsafe languages should really just do this IMO. It would have mitigated this Mongo bug.

Is this the same as enabling `init_on_free=1` in the kernel?
Zeroing memory should absolutely be the default behavior for any generic allocator in 2025.

If you need better performance, write your own allocator optimized for your specific use case — it's not that hard.

Besides, you if you don't need to clear old allocations, there are likely other optimizations you'll be able to find which would never fly in a system allocator.

The author seems to be unaware that Mongo internally develops in a private repo and commits are published later to the public one with https://github.com/google/copybara. All of the confusion around dates is due to this.
The author of this post is incorrect about the timeline. Our Atlas clusters were upgraded days before the CVE was announced.
(comment deleted)
Why is anyone using mongo for literally anything
Have all Atlas clusters been auto-updated with a fix?
> On Dec 24th, MongoDB reported they have no evidence of anybody exploiting the CVE

Absence of evidence is not evidence of absence...

> In C/C++, this doesn’t happen. When you allocate memory via `malloc()`, you get whatever was previously there.

What would break if the compiler zero'd it first? Do programs rely on malloc() giving them the data that was there before?

is it true that ubisoft got hacked and 900GB of data from their database was leaked due to mongobleed, i am seeing a lot of posts on social media under the #ubisoft tags today. can someone on HN confirm?
This has many similarities to the Heartbleed vulnerability: it involves trusting lengths from an attacker, leading to unauthorized revelation of data.
MongoDB has always sucked... But it's webscale (sic)

Do yourself a favour, use ToroDB instead (or even straight PostgreSQL's JSONB).