The open source MongoDB is the most popular NoSQL database used by companies of all sizes, from eBay and Sourceforge to The New York Times and LinkedIn.
According to Shodan's representative John Matherly, nearly 30,000 MongoDB instances are publicly accessible over the Internet without the need of any form of authentication.
This huge MongoDB database isn't exposed due to a flaw in its latest version of the software, but due to the use of out-of-date and unpatched versions of the platform that fail to bind to localhost.
While investigating NoSQL databases, Matherly focused on MongoDB that is growing in popularity.
"It turns out that MongoDB version 2.4.14 seems to be the last version that still listened to 0.0.0.0 [in which listening is enabled for all interfaces] by default, which looks like a maintenance release done on April 28, 2015," Matherly wrote in a blog post.
The security issue was first reported as a critical vulnerability back in February of 2012 by Roman Shtylman, but it took MongoDB developers a bit more than two years to rectify this security flaw.
Affected, outdated versions of MongoDB database do not have a 'bind_ip 127.0.0.1' option set in the mongodb.conf, potentially leaving users' server vulnerable if they are not aware of this setting.
According to Shtylman, "The default should be to lockdown as much as possible and only expose if the user requests it."
Affected Versions
Earlier instances of version 2.6 appeared to have been affected, significantly putting users of MongoDB database version 2.4.9 and 2.4.10, followed by 2.6.7, at risk.
Majority of publicly exposed MongoDB instances run on cloud servers such as Amazon, Digital Ocean, Linode, and Internet service and hosting provider OVH and do so without authentication, making cloud services more buggy than datacenter hosting.
"My guess is that cloud images do not get updated as often, which translates into people deploying old and insecure versions of software," Matherly said.
Affected users are recommended to immediately switch to the latest versions as soon as possible.
This isn't first time when MongoDB instances are exposed to the Internet, back in February German researchers found nearly 40,000 MongoDB instances openly available on the Internet.
Kelly Stirman, VP of Strategy at MongoDB, told The Hacker News in an email, "Recently a blog post was published that claimed some users had not properly secured their instances of MongoDB and were therefore at risk. As the article explains, the potential issue is a result of how a user might configure their deployment without security enabled. There is no security issue with MongoDB - extensive security capabilities are included with MongoDB.
"We encourage all users to follow the guidelines we prescribe for security. Security best practices are summarised here, or customers can contact MongoDB support. This is an important opportunity for everyone to ensure they are following security best practices."
Kelly Stirman, VP of Strategy at MongoDB, told The Hacker News in an email, "Recently a blog post was published that claimed some users had not properly secured their instances of MongoDB and were therefore at risk. As the article explains, the potential issue is a result of how a user might configure their deployment without security enabled. There is no security issue with MongoDB - extensive security capabilities are included with MongoDB.
"We encourage all users to follow the guidelines we prescribe for security. Security best practices are summarised here, or customers can contact MongoDB support. This is an important opportunity for everyone to ensure they are following security best practices."
