The hack itself is alarmingly simple. In versions >= 2.6.0, MongoDB includes a default configuration file that binds MongoDB to 127.0.0.1 by default. As a result, the database will only listen to local connections.
Before version 2.6.0, that wasn’t true. By default, MongoDB was left open to remote connections. Authentication is also not required by default, which means that out of the box installs of MongoDB before version 2.6.0 happily accept unauthenticated remote connections.
Users could still restrict access to local connections if they took the time to configure the install but that meant manually adding a line to their mongodb.conf file. Since that wasn’t the default configuration, many existing installs never included this critical step.
Making matters worse is that it’s easy to identify potential MongoDB attack candidates. MongoDB’s default port is 27017. Using a search engine such as ZoomEye, you can query for MongoDB installs, see what port they’re available over, and find around 100,000 vulnerable candidates.
The vulnerability itself is hardly new. The issue was first raised back in 2012 and released somewhere around 2015. Also, in early 2015, John Matherly made some noise when he reported finding around 30,000 insecure installs of MongoDB. In other words, this is something that everyone could have known about for a while.
That's not a vulnerability, that is STILL a half configured system AND no firewall on the server. And MongoDB 2.6 is relatively old, we are on 3.3 these days. This is a database cluster component, not a complete database piece on its own. Whatever "security" professional is writing this piece clearly isn't aware of what they are writing about. What they write is half true, 27017 is listening on 0.0.0.0, but it does so for a reason and is only vulnerable in places where someone did not finish setting up their database AND their server. It's not a vulnerability in the product.
This is where credit fraud protection comes into place, and class action law-suits start for all of the declined claims from people who have had their credit cards used illegally, and the bills not dropped by Visa.
I'd be surprised if there aren't already commericals on TV for 'Do you have a Visa credit card? Has your credit card been used without your consent, and the charges not dropped by Visa, call us now, you may be entitled to X"
Call J. G. Wetworth! 1-877-CASH-NOW....
Sorry... I'll see myself out now.
Let's all jump on board for lawsuits that only make the lawyers money!
Fixed it. You had used the tags incorrectly. You can only use that on unbroken paragraphs. You had it on a big block of text that had paragraph breaks in the middle, so there was no open/close tag pairs.
Ah, well, good thing that wasn't a rattlesnake, I'd be dead.