Support for latest version of MongoDB in Ignite web console

[Ashfaq Ahamed MH <as...@gmail.com>]

Hi ,
We have received the below vulnerability for the mongodb version - 3.4.4.

VAMS :MongoDB Server 3.4.x < 3.4.22, 3.6.x < 3.6.13, 4.0.x < 4.0.9,
4.1.x < 4.1.9 - Improper Authorisation Vulnerability -
SERVER-38984(CVE-2019-2386): SVM-49539

After user deletion in MongoDB Server the improper invalidation of
authorisation sessions allows an authenticated user's session to persist and
become conflated with new accounts, if those accounts reuse the names of
deleted ones. [CVE-2019-2386]

Vendor Affected Components:
MongoDB Server 3.4.x < 3.4.22
MongoDB Server 3.6.x < 3.6.13
MongoDB Server 4.0.x < 4.0.9
MongoDB Server 4.1.x < 4.1.9



I could see that the mongodb version supported in Ignite 2.7.5 is MongoDB
(version >=3.2.x <=3.4.15).
Is there any plans to upgrade the version of the MongoDB to mitigate the
vulnerability

Regards

Re: Support for latest version of MongoDB in Ignite web console

[Denis Magda <dm...@apache.org>]

GridGain is going to release WebConsole 8.8 soon that will be available
free of charge for on-prem and Docker installations. That version doesn't
go with any MongoDB-dependencies. Stay tuned.

-
Denis


On Mon, Aug 26, 2019 at 3:10 AM Stanislav Lukyanov <st...@gmail.com>
wrote:

> Hi,
>
> I believe support for MongoDB 4.x is already implemented in
> https://issues.apache.org/jira/browse/IGNITE-10847.
> Also, I believe Ignite doesn't require a specific version of MongoDB. Have
> you tried to install the latest 3.4.x version?
>
> Thanks,
> Stan
>
> On Sun, Aug 25, 2019 at 7:04 PM Ashfaq Ahamed MH <as...@gmail.com>
> wrote:
>
>> Hi ,
>> We have received the below vulnerability for the mongodb version - 3.4.4.
>>
>> VAMS :MongoDB Server 3.4.x &lt; 3.4.22, 3.6.x &lt; 3.6.13, 4.0.x &lt;
>> 4.0.9,
>> 4.1.x &lt; 4.1.9 - Improper Authorisation Vulnerability -
>> SERVER-38984(CVE-2019-2386): SVM-49539
>>
>> After user deletion in MongoDB Server the improper invalidation of
>> authorisation sessions allows an authenticated user's session to persist
>> and
>> become conflated with new accounts, if those accounts reuse the names of
>> deleted ones. [CVE-2019-2386]
>>
>> Vendor Affected Components:
>> MongoDB Server 3.4.x < 3.4.22
>> MongoDB Server 3.6.x < 3.6.13
>> MongoDB Server 4.0.x < 4.0.9
>> MongoDB Server 4.1.x < 4.1.9
>>
>>
>>
>> I could see that the mongodb version supported in Ignite 2.7.5 is MongoDB
>> (version >=3.2.x <=3.4.15).
>> Is there any plans to upgrade the version of the MongoDB to mitigate the
>> vulnerability
>>
>> Regards
>>
>

Re: Support for latest version of MongoDB in Ignite web console

[Stanislav Lukyanov <st...@gmail.com>]

Hi,

I believe support for MongoDB 4.x is already implemented in
https://issues.apache.org/jira/browse/IGNITE-10847.
Also, I believe Ignite doesn't require a specific version of MongoDB. Have
you tried to install the latest 3.4.x version?

Thanks,
Stan

On Sun, Aug 25, 2019 at 7:04 PM Ashfaq Ahamed MH <as...@gmail.com>
wrote:

> Hi ,
> We have received the below vulnerability for the mongodb version - 3.4.4.
>
> VAMS :MongoDB Server 3.4.x &lt; 3.4.22, 3.6.x &lt; 3.6.13, 4.0.x &lt;
> 4.0.9,
> 4.1.x &lt; 4.1.9 - Improper Authorisation Vulnerability -
> SERVER-38984(CVE-2019-2386): SVM-49539
>
> After user deletion in MongoDB Server the improper invalidation of
> authorisation sessions allows an authenticated user's session to persist
> and
> become conflated with new accounts, if those accounts reuse the names of
> deleted ones. [CVE-2019-2386]
>
> Vendor Affected Components:
> MongoDB Server 3.4.x < 3.4.22
> MongoDB Server 3.6.x < 3.6.13
> MongoDB Server 4.0.x < 4.0.9
> MongoDB Server 4.1.x < 4.1.9
>
>
>
> I could see that the mongodb version supported in Ignite 2.7.5 is MongoDB
> (version >=3.2.x <=3.4.15).
> Is there any plans to upgrade the version of the MongoDB to mitigate the
> vulnerability
>
> Regards
>