Hi everyone, We recently discovered a security vulnerability using Open edX Full Stack or native installation methods. The vulnerability is due to the fact that MongoDB will accept connections from outside the server, with the default admin user and password.
Am I Vulnerable? There are two things to check, both require you to login into the server where your MongoDB is installed. Is my port open to the world? $ netstat -plunt | grep 27017 tcp 0 0 0.0.0.0:27017 0.0.0.0:* LISTEN If you see 0.0.0.0:27017, then your MongoDB is accepting connections from anyone who can reach this machine, unless you’ve activated a firewall on the machine or upstream in your network. Am I using the default admin account and password? $ mongo admin -u admin -p password --eval "db.getMongo().getDBNames()" MongoDB shell version: 2.6.12 connecting to: admin admin,edxapp,local,cs_comments_service_development If this command runs successfully, then you are using the default admin account and password. If you’re able to complete both steps, then your MongoDB is vulnerable. What Should I Do? The quickest way to address this vulnerability is to configure your MongoDB to only accept requests from within the same server. Edit /etc/mongod.conf and add the following line to the end of the file: bind_ip = 127.0.0.1 Restart the mongod service. If you’re on Ubuntu 12.04: sudo service mongod restart If you’re on Ubuntu 16.04: sudo systemctl restart mongod Verify that MongoDB is now only listening on 127.0.0.1: $ netstat -plunt | grep 27017 tcp 0 127.0.0.1:27017 0.0.0.0:* LISTEN Another additional step you can take is to install UFW <https://help.ubuntu.com/community/UFW> and only allow specific ports for incoming requests (for example, http:80, https:443, ssh:22). For future installations, please refer to https://openedx.atlassian.net/wiki/display/OpenOPS/How+to+Override+Default+Configuration+Passwords+and+Verify+Exposed+Services <https://openedx.atlassian.net/wiki/display/OpenOPS/How+to+Override+Default+Configuration+Passwords+and+Verify+Exposed+Services> for more comprehensive security information. -- George -- You received this message because you are subscribed to the Google Groups "General Open edX discussion" group. To view this discussion on the web visit https://groups.google.com/d/msgid/edx-code/7D327858-B1B6-4EBE-A332-A54EDE0334DB%40edx.org.
