Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Security hole discovered in 2012 comes back to haunt NoSQL system admins

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

July 21, 2015

Click here to order the best deal on a HP enterprise dedicated server and at a great price.

Internet security researcher John Matherly says that several system administrators have exposed almost 600 TB (terabytes) of data by using poorly-configured or un-patched versions of the open source MongoDB database.

On any given day, eBay, Foursquare and The New York Times are some of the prominent users of the open source MongoDB which happens to be the most popular NoSQL database.

Matherly says that the nearly all 30,000 databases are exposed through the various use of the older versions of the platform that fail to bind to localhost.

"There's a total of almost 600 TB of data exposed on the internet via publicly accessible MongoDB instances that don't have any method at all of any authentication," Matherly added.

"It turns out that MongoDB version 2.4.14 seems to be the last version that still listened to the address by default, which sure looks like a maintenance release done on April 28 of this year.

Roman Shtylman actually raised this issue back in February of 2012 and it ended up taking a bit more than two years to change the settings.

At that time, Shtylman noted that it was a critical security flaw because MongoDB shipped without any authentication at all.

"Affected versions don't have a 'bind_ip' option set in the mongodb.conf master file. This leaves a user's server extremely vulnerable if they are not aware of that setting.

The default value should be to lockdown as much as possible and only expose it if the user requests it," Shtylman warns.

He adds that earlier instances of version 2.6 may have been affected as well. He also points out that most users operate version 2.4.9, with 2.4.10 and 2.6.7 close behind.

Most exposed MongoDB instances run on cloud servers including Digital Ocean, Amazon and Linode and do so without authorization enabled, in what Matherly says is a trend in which cloud instances are more vulnerable than datacenter hosting.

"My guess is that cloud images don't get updated as often, which translates into people deploying older and much more insecure versions of software," he said.

Affected users should update to the latest versions as soon as possible. We'll keep you posted on this and other web security news.

Source: John Matherly.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer