Vulnerability scanning determines MongoDB version 2.6.11 is susceptible to attacks (4044032)

Pen-testing determines vulnerability with MongoDB version 2.6.11 used by Rapid Recovery 

The following list of Common Vulnerabilities and Exposure (CVE) found on the National Institute of Standard and Technology (NIST) National Vulnerability Database (NVD) could be detected during a security scan:

CVE-2014-3971 - A denial of service (DoS) vulnerability exist in the CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod. An unauthenticated remote attacker can exploit this to cause a denial of service (daemon crash) by attempting authentication with an invalid X.509 client certificate.

CVE-2014-8964 - A heap-based buffer overflow condition exists in PCRE. An unauthenticated remote attacker can exploit this via a crafted regular expression, related to an assertion that allows zero repeats to cause a denial of service or to cause other unspecified impact.

CVE-2016-6494 - The client in MongoDB uses world-readable permissions on .dbshell history files, which might allow local users to obtain sensitive information by reading these files.

Note: there are other CVE that could be detected, but they affect other versions of MongoDB and thus are not presented on the above list. Sometimes a CVE number is reserved by an organization or individual that will be used used to announce a security problem but details were never provided. These CVE are also not listed.

The MongoDB version 2.6.11 service on Rapid Recovery is only used to store events and info level records, no actual backup data or user credentials are stored. The update of the MongoDB version is planned for a future release of Rapid Recovery.

Below are the CVEs associated with the MongoDB version and why they do not affect Rapid Recovery. 

CVE-2014-3971 - If a denial of service (DoS) were to be executed against the MongoDB, it would only affect the events logging portion of the Core Server and not the functionality of backups.

CVE-2014-8964 - If the ports are blocked for remote access to the MongoDB on the Core Server, it would not be possible to execute the heap-based buffer overflow condition.

CVE-2016-6494 - This vulnerability does not affect the functionality of Rapid Recovery as this database is used to save core events and no sensible data is stored on it. The only user credential on the MongoDB is the default user created by Rapid Recovery for event logging.