- Splunk Answers
- :
- Splunk Administration
- :
- Security
- :
- Is Mongodb vulnerable to outside manipulation?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I came across several reports where MongoDB installations are being targeted in malware attacks. How can verify that MongoDB is secure and updated?
The reports state that this is a problem with installations open to the internet that do not have a password protected admin account, so I might be too paranoid. I just want to make sure.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I opened a support ticket because this could be an issue during our compliance audits.
Splunk answered -
(start)
MongoDB is only used by Splunk in this context, so here is almost no risk of malware as there needs to be some type of human interaction to achieve (and Splunk is the only user of MongoDB here).
However, we are constantly vigilant about any threats or vulnerabilities. Here is an example of how SSLv3 was vulnerable to the POODLE attack (inclusive of MongoDB) and how it can be mitigated.
Long story short, if you have SSLv3 turned on, then you could be vulnerable.
(end)
As I had SSLv3 on under \etc\system\default\web.conf (sslVersions = ssl3, tls), Changed to sslVersions = -ssl3, tls in \etc\system\local\web.conf.
Problem solved (fingers crossed).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I opened a support ticket because this could be an issue during our compliance audits.
Splunk answered -
(start)
MongoDB is only used by Splunk in this context, so here is almost no risk of malware as there needs to be some type of human interaction to achieve (and Splunk is the only user of MongoDB here).
However, we are constantly vigilant about any threats or vulnerabilities. Here is an example of how SSLv3 was vulnerable to the POODLE attack (inclusive of MongoDB) and how it can be mitigated.
Long story short, if you have SSLv3 turned on, then you could be vulnerable.
(end)
As I had SSLv3 on under \etc\system\default\web.conf (sslVersions = ssl3, tls), Changed to sslVersions = -ssl3, tls in \etc\system\local\web.conf.
Problem solved (fingers crossed).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @scottrunyon - Did your answer via Support provide a working solution to your question? If yes and you would like to close out your post, don't forget to click "Accept". But if you'd like to keep it open for possibilities of other answers, you don't have to take action on it yet. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried connecting to port 8191 from the internet?
And yes, the splunk kvstore is just mongodb, and therefore susceptible to any MongoDB exploits. You could technically use it as a standard MongoDB for that matter. Although I dont know what the admin user/pass is that Splunk creates, I'm sure someone could figure it out easily.
2016-12-06T19:51:08.350Z I CONTROL [initandlisten] options: { net: { port: 8191, ssl: { PEMKeyFile: "C:\Program Files\Splunk\etc\auth\server.pem", PEMKeyPassword: "", allowInvalidHostnames: true, mode: "preferSSL" } }, replication: { oplogSizeMB: 200, replSet: "ADC39FAB-8C0B-43B9-A1A1-506893E94B42" }, security: { javascriptEnabled: false, keyFile: "C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo\splunk.key" }, setParameter: { enableLocalhostAuthBypass: "0" }, storage: { dbPath: "C:\Program Files\Splunk\var\lib\splunk\kvstore\mongo", mmapv1: { smallFiles: true } }, systemLog: { timeStampFormat: "iso8601-utc" } }
2016-12-06T19:55:38.745Z I ACCESS [conn1] Successfully authenticated as principal __system on local
This is from my mongo.log... Looks like it's using some auth method like the computer that starts mongo has access only...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried like hell to access the MongoDB using Python libs etc. I couldn't figure out authentication to save my life. Sorry I'm not very helpful here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As my installations are behind firewalls and should only be accessible by my local 10.0.0.0 network, connecting to port 8196 should not be possible from the internet however there are a lot of people that are smarter then me.
As for the admin password, when the Splunk installation is installed, does it modify the MongoDB configuration using a default admin PW or is that changed?
Regards.
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
