Do people usually run Mongo in a mode that allows unauthenticated calls? I don’t know anything about Mongo. This just seems surprising.

▲

erdaniels 4 hours ago | parent | next [-]

No, but it's pretty common IME to create an Atlas cluster that has internet-wide access (0.0.0.0/0) when testing and forgetting to turn this off. According to https://jira.mongodb.org/browse/SERVER-115508, this affects unauthenticated ops. Based on the repro code itself, it looks like this happens way before authentication is checked for the corresponding OP at the OP_MSG decoding level.

So if you're using Atlas, check that your Cluster has auto upgraded already. If you're using 0.0.0.0/0, stop doing that and prefer a limited IP address range and even better, use VPC Peering or other security/network boundary features.

	▲	computerfan494 4 hours ago \| parent \| next [-]
		We received communication that all Atlas clusters were upgraded with the fix before the vulnerability was announced.
	▲	yearolinuxdsktp 2 hours ago \| parent \| prev [-]
		This is a good example of a benefit of certificate-based authentication option for MongoDB, because you need to at least present a valid client certificate to transmit any data.

▲

giancarlostoro 4 hours ago | parent | prev [-]

Its default is to only take connections that are local, usually I have my mongo clients SSH into a mongo server as opposed to opening up the port to the internet. Some Mongo users / collections are very open by default.

It has been a minute since I used Mongo for production grade projects, so some things could have changed since then.