Bug 1149102 - (CVE-2019-2389) VUL-1: CVE-2019-2389: mongodb: Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB proc
(CVE-2019-2389)
VUL-1: CVE-2019-2389: mongodb: Incorrect scoping of kill operations in MongoD...
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/241613/
CVSSv2:NVD:CVE-2019-2389:3.3:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-02 11:54 UTC by Alexandros Toptsoglou
Modified: 2019-12-02 10:21 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexandros Toptsoglou 2019-09-02 11:54:30 UTC
CVE-2019-2389

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init
scripts allow users with write access to the PID file to insert arbitrary PIDs
to be killed when the root user stops the MongoDB process via SysV init. This
issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.11; v3.6
versions prior to 3.6.14; v3.4 versions prior to 3.4.22.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2389
http://www.cvedetails.com/cve/CVE-2019-2389/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2389
https://jira.mongodb.org/browse/SERVER-40563
Comment 6 Arjen de Korte 2019-10-24 13:04:56 UTC
I don't know which (open)SUSE product this relates to, but as far as I can remember the SysV init script from the source package is not used. The init script that is used in (open)SUSE, uses startproc and killproc which are not vulnerable to this attach vector.
Comment 7 Nanuk Krinner 2019-11-25 11:17:13 UTC
We use 2.4 in the cloud packages, which is an unaffected version. The used init script also uses startproc and killproc. We should be unaffected. REassigning to the security team.
Comment 8 Alexandros Toptsoglou 2019-12-02 10:21:29 UTC
Closing comment 6 and 7