MongoDB Response on Heartbleed OpenSSL Vulnerability

This post is to inform MongoDB users how MongoDB products and services were affected by the Heartbleed bug (CVE-2014-0160).

MongoDB (non Windows)

MongoDB dynamically links to OpenSSL and therefore the product itself is not vulnerable and does not require an update to mitigate this vulnerability. Please be aware that OpenSSL/libssl should be updated on underlying systems, as directed by the specific distribution.

Customers who have created instances utilizing MongoDB’s AWS AMIs should upgrade their operating system’s OpenSSL/libssl libraries. Amazon’s instructions and notice can be found here.

MongoDB Enterprise for Windows

MongoDB Enterprise for Windows is bundled with OpenSSL, however this was updated to a version which contained a fix for CVE-2014-0160 prior to the 2.6.0 release. Our documentation has been updated to reflect the version of OpenSSL that is bundled.

If any customers are using release candidate (-rc#) MongoDB Enterprise for Windows, they should upgrade to 2.6 GA.

MMS

MMS customers are not affected by this vulnerability. The load-balancer which performs SSL-offloading for MMS is not affected by this vulnerability.

MMS On-Prem customers are also not affected. While MMS On-Prem documentation mentions using OpenSSL for certificates, MMS On-Prem’s Jetty webserver’s SSL/TLS implementation does not rely upon OpenSSL and is not vulnerable.

comments powered by Disqus