Security vulnerability in MongoDB 3.4 and 3.6

  • In MongoDB Enterprise, when a Mongo server accepts authentication attempts via the PLAIN mechanism on the $external database and is configured to use the Cyrus SASL GSSAPI mechanism for LDAP binding, passwords are not validated.

    You can find more details on the MongoDB site: https://jira.mongodb.org/browse/SERVER-35610.

    • For Sitecore XP 8.2 Update-6, upgrade your MongoDB server to 3.4.16 version.
    • For Sitecore XP 8.2 Update-7 and 9.0 Update-2, upgrade your MongoDB server to 3.6.6 version. Additionally, Sitecore XP 8.2 Update-7 requires updating of the Mongo driver as described in the following article: Sitecore 8.2.x support for MongoDb 3.6

Applies to:

CMS 8.2 Update-6, 8.2 Update-7, 9.0 Update-2

August 23, 2018
October 31, 2019

Reference number:

232727