Security vulnerabilities in the java driver

Veracode has identified the following vulnerabilities on mongodb java driver 4.1.1

Improper Output Neutralization for Logs (CWE ID 117)
com/mongodb/diagnostics/logging/SLF4JLogger.java: lines 41, 56 and 86
com/mongodb/internal/connection/tlschannel/impl/TlsChannelImpl: lines 357 and 471

Use of Hard-coded Password (CWE ID 259)
com/mongodb/internal/async/client/AsyncMongoClients.java: line 48
com/mongodb/client/MongoClients.java: line 40

Insufficient Entropy (CWE ID 331)
com/mongodb/internal/connection/BaseCluster.java: line 355

Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)
com/mongodb/internal/HexUtils.java: line 54

Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) (CWE ID
470)
org/bson/codecs/pojo/DiscriminatorLookup.java: line 67

I believe the CWE ID 259 and CWE ID 331 vulnerabilities are false positives. Anyone can confirm ?

Are there any plans to address these vulnerabilities in future versions of the driver ? If not, can they be mitigated ? Are there vulnerabilities that you believe are false positives ?

Hi @Aziz_Zitouni,

Thanks for the questions. Lets review the list:

Improper Output Neutralization for Logs (CWE ID 117)
These methods delegate to the user supplied and configured logging library.

Use of Hard-coded Password (CWE ID 259)
There is no password in these methods, just the default connection string “mongo://localhost”

Insufficient Entropy (CWE ID 331)
This method randomly picks from the server list.

Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)
The use of MD5 for legacy authentication was deprecated in MongoDB 4.0. However, the driver still supports 3.x versions of MongoDB. For more information about authentication mechanisms in mongodb please see: https://docs.mongodb.com/manual/core/authentication/#authentication-mechanisms

Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) (CWE ID
470)
This is not the default behaviour. When using Pojo’s to represent Bson Documents users can store metadata with the name of the class to hydrate the bson data into. This is useful when modelling Pojos that contain polymorphic embedded classes.

I hope that helps,

Ross

2 Likes

Hi @Ross_Lawley,
On CWE ID 327, can the vulnerability be mitigated on 3.x if a more secure authentication is used, I’m thinking SCRAM SHA-1 or Kerberos ?

Regards,
Aziz

Hi @Aziz_Zitouni,

That’s correct or using MongoDB 4.0 or greater - as challenge response authentication was removed from the server.

Ross

2 Likes

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.