STIGQter: STIG Summary: MongoDB Enterprise Advanced 3.x Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 24 Jul 2020:

MongoDB must check the validity of all data inputs except those specifically identified by the organization.

DISA Rule

SV-96603r1_rule

Vulnerability Number

V-81889

Group Title

SRG-APP-000251-DB-000160

Rule Version

MD3X-00-000490

Severity

CAT II

CCI(s)

• CCI-001310 - The information system checks the validity of organization-defined inputs.

Weight

10

Fix Recommendation

Disable the javascriptEnabled option in the config file.

security:
javascriptEnabled: false

If document validation is needed, it should be configured according to the documentation page at https://docs.mongodb.com/manual/core/document-validation/.

Check Contents

As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks are not a problem. However, MongoDB operations permit arbitrary JavaScript expressions to be run directly on the server.

If the "security.javascriptEnabled" option is set to "true" in the config file, this is a finding.

Starting with MongoDB 3.2, database-level document validation can be configured for specific collections. Configured validation rules for the selected database can be viewed via the db.getSisterDB("database_name").getCollectionInfos() command in mongo shell.

If validation is desired, but no rules are set, the valdiationAction is not "error" or the "bypassDocumentValidation" option is used for write commands on the application side, this is a finding.

Vulnerability Number

V-81889

Documentable

False

Rule Version

MD3X-00-000490

Severity Override Guidance

As a client program assembles a query in MongoDB, it builds a BSON object, not a string. Thus traditional SQL injection attacks are not a problem. However, MongoDB operations permit arbitrary JavaScript expressions to be run directly on the server.

If the "security.javascriptEnabled" option is set to "true" in the config file, this is a finding.

Starting with MongoDB 3.2, database-level document validation can be configured for specific collections. Configured validation rules for the selected database can be viewed via the db.getSisterDB("database_name").getCollectionInfos() command in mongo shell.

If validation is desired, but no rules are set, the valdiationAction is not "error" or the "bypassDocumentValidation" option is used for write commands on the application side, this is a finding.

Check Content Reference

M

Target Key

3265

Comments