Post-auth queries on compound index may crash mongod

Vulnerability

A user authorized to perform database queries can trigger a denial of service by issuing specially crafted queries involving compound indexes. This affects the QueryPlanner component. The vulnerability exists in MongoDB Server v3.6 versions prior to 3.6.9 and v4.0 versions prior to 4.0.3 [1]. The root cause is an unexpected status code or return value (CWE-394) in the query planning logic when handling compound index queries.

Exploitation

An attacker needs network access to the MongoDB server and valid credentials to issue database queries (authenticated access). By sending a specially crafted query that targets compound indexes, the attacker can trigger a crash in the QueryPlanner. The attack does not require any special privileges beyond query permissions, and no user interaction is needed. The issue was externally reported and confirmed to be exploitable against MongoDB Atlas free tier instances [1].

Impact

Successful exploitation results in a denial of service (availability impact). The mongod process crashes, causing temporary downtime for the database server. There is no impact on confidentiality or integrity. The CVSS 3.1 base score is 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) [1].

Mitigation

The vulnerability is fixed in MongoDB Server versions 3.6.9 and 4.0.3. Users should upgrade to these versions or later. As of the publication date (2020-11-23), no workaround has been provided for unpatched versions. The issue is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.