Veracode has identified the following vulnerabilities on mongodb java driver 4.1.1
Improper Output Neutralization for Logs (CWE ID 117)
com/mongodb/diagnostics/logging/SLF4JLogger.java: lines 41, 56 and 86
com/mongodb/internal/connection/tlschannel/impl/TlsChannelImpl: lines 357 and 471
Use of Hard-coded Password (CWE ID 259)
com/mongodb/internal/async/client/AsyncMongoClients.java: line 48
com/mongodb/client/MongoClients.java: line 40
Insufficient Entropy (CWE ID 331)
com/mongodb/internal/connection/BaseCluster.java: line 355
Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)
com/mongodb/internal/HexUtils.java: line 54
Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) (CWE ID 470)
org/bson/codecs/pojo/DiscriminatorLookup.java: line 67
I believe the CWE ID 259 and CWE ID 331 vulnerabilities are false positives. Anyone can confirm ?
Are there any plans to address these vulnerabilities in future versions of the driver ? If not, can they be mitigated ? Are there vulnerabilities that you believe are false positives ?
Improper Output Neutralization for Logs (CWE ID 117)
These methods delegate to the user supplied and configured logging library.
Use of Hard-coded Password (CWE ID 259)
There is no password in these methods, just the default connection string “mongo://localhost”
Insufficient Entropy (CWE ID 331)
This method randomly picks from the server list.
Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)
The use of MD5 for legacy authentication was deprecated in MongoDB 4.0. However, the driver still supports 3.x versions of MongoDB. For more information about authentication mechanisms in mongodb please see: https://docs.mongodb.com/manual/core/authentication/#authentication-mechanisms
Use of Externally-Controlled Input to Select Classes or Code (‘Unsafe Reflection’) (CWE ID 470)
This is not the default behaviour. When using Pojo’s to represent Bson Documents users can store metadata with the name of the class to hydrate the bson data into. This is useful when modelling Pojos that contain polymorphic embedded classes.
Hi @Ross_Lawley,
On CWE ID 327, can the vulnerability be mitigated on 3.x if a more secure authentication is used, I’m thinking SCRAM SHA-1 or Kerberos ?