Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is Mongodb vulnerable to outside manipulation?

scottrunyon
Contributor
‎01-10-2017 08:37 AM

I came across several reports where MongoDB installations are being targeted in malware attacks. How can verify that MongoDB is secure and updated?

The reports state that this is a problem with installations open to the internet that do not have a password protected admin account, so I might be too paranoid. I just want to make sure.

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scottrunyon
Contributor
‎01-13-2017 12:37 PM

I opened a support ticket because this could be an issue during our compliance audits.

Splunk answered -

(start)
MongoDB is only used by Splunk in this context, so here is almost no risk of malware as there needs to be some type of human interaction to achieve (and Splunk is the only user of MongoDB here).

However, we are constantly vigilant about any threats or vulnerabilities. Here is an example of how SSLv3 was vulnerable to the POODLE attack (inclusive of MongoDB) and how it can be mitigated.

Long story short, if you have SSLv3 turned on, then you could be vulnerable.
(end)

As I had SSLv3 on under \etc\system\default\web.conf (sslVersions = ssl3, tls), Changed to sslVersions = -ssl3, tls in \etc\system\local\web.conf.

Problem solved (fingers crossed).

View solution in original post

Reply
Solved! Jump to solution
Solution

scottrunyon
Contributor
‎01-13-2017 12:37 PM

I opened a support ticket because this could be an issue during our compliance audits.

Splunk answered -

(start)
MongoDB is only used by Splunk in this context, so here is almost no risk of malware as there needs to be some type of human interaction to achieve (and Splunk is the only user of MongoDB here).

However, we are constantly vigilant about any threats or vulnerabilities. Here is an example of how SSLv3 was vulnerable to the POODLE attack (inclusive of MongoDB) and how it can be mitigated.

Long story short, if you have SSLv3 turned on, then you could be vulnerable.
(end)

As I had SSLv3 on under \etc\system\default\web.conf (sslVersions = ssl3, tls), Changed to sslVersions = -ssl3, tls in \etc\system\local\web.conf.

Problem solved (fingers crossed).

Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎01-21-2017 08:19 PM

Hi @scottrunyon - Did your answer via Support provide a working solution to your question? If yes and you would like to close out your post, don't forget to click "Accept". But if you'd like to keep it open for possibilities of other answers, you don't have to take action on it yet. Thanks!

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-10-2017 08:39 AM

Have you tried connecting to port 8191 from the internet?

And yes, the splunk kvstore is just mongodb, and therefore susceptible to any MongoDB exploits. You could technically use it as a standard MongoDB for that matter. Although I dont know what the admin user/pass is that Splunk creates, I'm sure someone could figure it out easily.

2016-12-06T19:51:08.350Z I CONTROL [initandlisten] options: { net: { port: 8191, ssl: { PEMKeyFile: "C:\Program Files\Splunk\etc\auth\server.pem", PEMKeyPassword: "", allowInvalidHostnames: true, mode: "preferSSL" } }, replication: { oplogSizeMB: 200, replSet: "ADC39FAB-8C0B-43B9-A1A1-506893E94B42" }, security: { javascriptEnabled: false, keyFile: "C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo\splunk.key" }, setParameter: { enableLocalhostAuthBypass: "0" }, storage: { dbPath: "C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo", mmapv1: { smallFiles: true } }, systemLog: { timeStampFormat: "iso8601-utc" } }

2016-12-06T19:55:38.745Z I ACCESS [conn1] Successfully authenticated as principal __system on local

This is from my mongo.log... Looks like it's using some auth method like the computer that starts mongo has access only...

0 Karma
Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎01-11-2017 07:21 PM

I tried like hell to access the MongoDB using Python libs etc. I couldn't figure out authentication to save my life. Sorry I'm not very helpful here.

0 Karma
Reply
Solved! Jump to solution

scottrunyon
Contributor
‎01-10-2017 08:52 AM

As my installations are behind firewalls and should only be accessible by my local 10.0.0.0 network, connecting to port 8196 should not be possible from the internet however there are a lot of people that are smarter then me.

As for the admin password, when the Splunk installation is installed, does it modify the MongoDB configuration using a default admin PW or is that changed?

Regards.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...