Title

MongoDB products must be a version supported by the vendor. (Cat I impact)

Discussion

Unsupported commercial and database systems should not be used because fixes to newly identified bugs will not be implemented by the vendor. The lack of support can result in potential vulnerabilities. Systems at unsupported servicing levels or releases will not receive security updates for new vulnerabilities, which leaves them subject to exploitation. When maintenance updates and patches are no longer available, the database software is no longer considered supported and should be upgraded or decommissioned.

Check Content

Review the system documentation and interview the database administrator. Identify all database software components. Review the version and release information. To determine the current running MongoDB server version, run the following command from the Mongo Shell: db.version() Access the MongoDB website (https://www.mongodb.com/support-policy/lifecycles) or use other means to verify the currently running MongoDB server version is still supported. If the DBMS or any of the software components are not supported by MongoDB, this is a finding.

Fix Text

Remove or decommission all unsupported software products. Upgrade unsupported DBMS or unsupported components to a supported version of the product.

Additional Identifiers

Rule ID: SV-259797r947233_rule

Vulnerability ID: V-259797

Group Title: SRG-APP-000456-DB-000400

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.