Idk how proactive patching an exploited-in-the-wild unauth RCE is, but pr statements gonna pr i guess.
>This [...] vuln is not a breach or compromise of MongoDB
IANAL, but this seems like a pretty strong stance to take? Who exactly are you blaming here?
>vulnerability was discovered internally
>detected the issue
Interesting choice of words. I wonder if their SIEM/SOC discovered a compromise, or if someone detected a tweet.
>December 12–14 – We worked continuously
It took 72 clock hours, assumably hundreds of man hours, to fix a malloc use after free and cstring null term bug? Maybe the user input field length part was a major design point??
>dec 12 "detect" the issue, dec 19 cve, dec 23 first post
Boy this sure seems like a long time for a first communication for a guaranteed compromise if internet facing bug.
Not sure there's a security tool in the world that would stop data exfiltration via protocol error logs.
We used MongoDB's cloud offering (Atlas) and have had nothing but problems with it. Like, serious problems - "production down for multiple days" problems caused entirely by MongoDB messing up SSL certificates on their end. We were utterly powerless to do anything and their support was dreadful. I cannot take their products seriously now.
13 comments
[ 2.6 ms ] story [ 33.0 ms ] threadReference: https://bigdata.2minutestreaming.com/p/mongobleed-explained-...
Idk how proactive patching an exploited-in-the-wild unauth RCE is, but pr statements gonna pr i guess.
>This [...] vuln is not a breach or compromise of MongoDB
IANAL, but this seems like a pretty strong stance to take? Who exactly are you blaming here?
>vulnerability was discovered internally >detected the issue
Interesting choice of words. I wonder if their SIEM/SOC discovered a compromise, or if someone detected a tweet.
>December 12–14 – We worked continuously
It took 72 clock hours, assumably hundreds of man hours, to fix a malloc use after free and cstring null term bug? Maybe the user input field length part was a major design point??
>dec 12 "detect" the issue, dec 19 cve, dec 23 first post
Boy this sure seems like a long time for a first communication for a guaranteed compromise if internet facing bug.
Not sure there's a security tool in the world that would stop data exfiltration via protocol error logs.
If you follow their history, especially the jepsen analysis and the whole back and forth, you will find a pattern.
If you still run MongoDB facing the internet you have bigger problems.