MongoDB Server may allow successful untrusted connection

Vulnerability

Under certain configurations, MongoDB Server may skip peer certificate validation during TLS handshake. Specifically, when the server is started with TLS enabled (net.tls.mode set to allowTLS, preferTLS, or requireTLS) and without setting net.tls.CAFile, the server does not validate client certificates against the system CA store, allowing untrusted connections to succeed [4]. This affects MongoDB Server v7.0 versions up to 7.0.5, v6.0 up to 6.0.13, v5.0 up to 5.0.24, and v4.4 up to 4.4.28 [1][2][3].

Exploitation

An attacker with network access to a vulnerable MongoDB server can initiate a TLS connection without presenting a valid certificate trusted by the server's CA. The server will accept the connection, bypassing peer certificate validation. No authentication or prior access is required. The attacker simply needs to connect to the server's TLS port while the server is in the vulnerable configuration [4].

Impact

Successful exploitation allows an attacker to establish a TLS connection that should have been rejected due to invalid or missing client certificate. This undermines the authentication and security guarantees provided by TLS, potentially enabling man-in-the-middle attacks or unauthorized access to the MongoDB server. The exact impact depends on the server's other security settings (e.g., authentication mechanisms) [4].

Mitigation

The vulnerability is fixed in MongoDB versions 4.4.29, 5.0.25, 6.0.14, and 7.0.6 [1][2][3][4]. Upgrade to these or later versions. As a workaround, ensure that a valid net.tls.CAFile is configured when TLS is enabled. The fix also introduces a new server parameter tlsUseSystemCA to allow validation against the system CA store. MongoDB Atlas clusters are not affected [4].