Bug 1149102 – VUL-1: CVE-2019-2389: mongodb: Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB proc

Bug 1149102 - (CVE-2019-2389) VUL-1: CVE-2019-2389: mongodb: Incorrect scoping of kill operations in MongoDB Server's packaged SysV init scripts allow users with write access to the PID file to insert arbitrary PIDs to be killed when the root user stops the MongoDB proc

(CVE-2019-2389)
Summary:	VUL-1: CVE-2019-2389: mongodb: Incorrect scoping of kill operations in MongoD...

Status:	RESOLVED UPSTREAM

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/241613/
Whiteboard:	CVSSv2:NVD:CVE-2019-2389:3.3:(AV:L/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-09-02 11:54 UTC by Alexandros Toptsoglou
Modified:	2019-12-02 10:21 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandros Toptsoglou 2019-09-02 11:54:30 UTC

CVE-2019-2389

Incorrect scoping of kill operations in MongoDB Server's packaged SysV init
scripts allow users with write access to the PID file to insert arbitrary PIDs
to be killed when the root user stops the MongoDB process via SysV init. This
issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.11; v3.6
versions prior to 3.6.14; v3.4 versions prior to 3.4.22.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-2389
http://www.cvedetails.com/cve/CVE-2019-2389/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2389
https://jira.mongodb.org/browse/SERVER-40563

Comment 6 Arjen de Korte 2019-10-24 13:04:56 UTC

I don't know which (open)SUSE product this relates to, but as far as I can remember the SysV init script from the source package is not used. The init script that is used in (open)SUSE, uses startproc and killproc which are not vulnerable to this attach vector.

Comment 7 Nanuk Krinner 2019-11-25 11:17:13 UTC

We use 2.4 in the cloud packages, which is an unaffected version. The used init script also uses startproc and killproc. We should be unaffected. REassigning to the security team.

Comment 8 Alexandros Toptsoglou 2019-12-02 10:21:29 UTC

Closing comment 6 and 7