CVE-2021-20328: MongoDB Java driver client-side field level encryption not verifying KMS host name
First published: Wed Feb 17 2021(Updated: )
Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.
Credit: cna@mongodb.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Mongodb Java Driver | >=3.11.0<3.11.3 | |
| Mongodb Java Driver | >=3.12.0<3.12.8 | |
| Mongodb Java Driver | >=4.0.0<4.0.6 | |
| Mongodb Java Driver | >=4.1.0<4.1.2 | |
| Mongodb Java Driver | >=4.2.0<4.2.1 | |
| Quarkus Quarkus | <1.13.3 | |
| Quarkus Quarkus | =1.13.3 | |
| redhat/mongodb-driver | <3.11.3 | 3.11.3 |
| redhat/mongodb-driver | <3.12.8 | 3.12.8 |
| redhat/mongodb-driver-legacy | <4.0.6 | 4.0.6 |
| redhat/mongodb-driver-legacy | <4.1.2 | 4.1.2 |
| redhat/mongodb-driver-legacy | <4.2.1 | 4.2.1 |
| maven/org.mongodb:mongodb-driver-legacy | =4.2.0 | 4.2.1 |
| maven/org.mongodb:mongodb-driver-sync | >=3.11.0<=3.11.2 | 3.11.3 |
| maven/org.mongodb:mongodb-driver-sync | >=3.12.0<=3.12.7 | 3.12.8 |
| maven/org.mongodb:mongodb-driver-legacy | >=3.12.0<=3.12.7 | 3.12.8 |
| maven/org.mongodb:mongodb-driver-legacy | >=3.11.0<=3.11.2 | 3.11.3 |
| maven/org.mongodb:mongodb-driver-legacy | >=4.1.0<=4.1.1 | 4.1.2 |
| maven/org.mongodb:mongodb-driver-legacy | >=4.0.0<=4.0.5 | 4.0.6 |
| maven/org.mongodb:mongo-java-driver | >=3.12.0<=3.12.7 | 3.12.8 |
| maven/org.mongodb:mongo-java-driver | >=3.11.0<=3.11.2 | 3.11.3 |
| maven/org.mongodb:mongodb-driver-sync | =4.2.0 | 4.2.1 |
| maven/org.mongodb:mongodb-driver-sync | >=4.1.0<=4.1.1 | 4.1.2 |
| maven/org.mongodb:mongodb-driver-sync | >=4.0.0<=4.0.5 | 4.0.6 |
| maven/org.mongodb:mongodb-driver | >=3.12.0<=3.12.7 | 3.12.8 |
| maven/org.mongodb:mongodb-driver | >=3.11.0<=3.11.2 | 3.11.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-20328 https://nvd.nist.gov/vuln/detail/CVE-2021-20328
- https://bugzilla.redhat.com/show_bug.cgi?id=1934236
- https://access.redhat.com/errata/RHSA-2021:0871
- https://access.redhat.com/errata/RHSA-2021:4918
- https://access.redhat.com/errata/RHSA-2021:4767
- https://access.redhat.com/security/cve/cve-2021-20328
- https://jira.mongodb.org/browse/JAVA-4017
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1934237
- https://docs.mongodb.com/manual/core/security-client-side-encryption/#driver-compatibility-table
- https://github.com/mongodb/mongo-java-driver/commit/0b441990d8621979c68a45586187f8a12c003f63
- https://nvd.nist.gov/vuln/detail/CVE-2021-20328
- https://github.com/advisories/GHSA-rghw-6px2-fgwc (Advisory)
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2021-20328?
CVE-2021-20328 is a vulnerability in specific versions of the Java driver that support client-side field level encryption (CSFLE) and fail to perform correct host name verification on the KMS server's certificate.
How does CVE-2021-20328 affect the affected software?
CVE-2021-20328 affects specific versions of the MongoDB Java driver and Quarkus Quarkus.
What is the severity level of CVE-2021-20328?
The severity level of CVE-2021-20328 is medium with a severity value of 6.4.
Which versions of the affected software are vulnerable to CVE-2021-20328?
Versions up to but excluding 3.11.3, 3.12.8, 4.0.6, 4.1.2, and 4.2.1 of the MongoDB Java driver, and versions up to but excluding 1.13.3 of Quarkus Quarkus are vulnerable to CVE-2021-20328.
Where can I find more information about CVE-2021-20328?
You can find more information about CVE-2021-20328 at the following references: [CVE-2021-20328 at cve.org](https://www.cve.org/CVERecord?id=CVE-2021-20328), [CVE-2021-20328 at NIST NVD](https://nvd.nist.gov/vuln/detail/CVE-2021-20328), [Bugzilla Red Hat Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1934236), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2021:0871).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-20328
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/severity
- agent/references
- agent/last-modified-date
- agent/title
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-rghw-6px2-fgwc
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- agent/event
- collector/github-advisory
- vendor/mongodb
- canonical/mongodb java driver
- version/mongodb java driver/3.11.0
- version/mongodb java driver/3.12.0
- version/mongodb java driver/4.0.0
- version/mongodb java driver/4.1.0
- version/mongodb java driver/4.2.0
- vendor/quarkus
- canonical/quarkus quarkus
- version/quarkus quarkus/1.13.3
- package-manager/redhat
- package-manager/maven