MongoDB Response on Heartbleed OpenSSL Vulnerability
This post is to inform MongoDB users how MongoDB products and services were affected by the
Heartbleed bug
(CVE-2014-0160).
MongoDB (non Windows)
MongoDB dynamically links to OpenSSL and therefore the product itself is not vulnerable and does not require an update to mitigate this vulnerability. Please be aware that OpenSSL/libssl should be updated on underlying systems, as directed by the specific distribution.
Customers who have created instances utilizing
MongoDB’s AWS AMIs
should upgrade their operating system’s OpenSSL/libssl libraries. Amazon’s instructions and notice can be found
here
.
MongoDB Enterprise for Windows
MongoDB Enterprise for Windows is bundled with OpenSSL, however this was updated to a version which contained a fix for CVE-2014-0160 prior to the 2.6.0 release. Our
documentation
has been updated to reflect the version of OpenSSL that is bundled.
If any customers are using release candidate (-rc#) MongoDB Enterprise for Windows, they should upgrade to
2.6 GA
.
MMS
MMS customers are not affected by this vulnerability. The load-balancer which performs SSL-offloading for MMS is not affected by this vulnerability.
MMS On-Prem customers are also not affected. While MMS On-Prem
documentation
mentions using OpenSSL for certificates, MMS On-Prem’s Jetty webserver’s SSL/TLS implementation does not rely upon OpenSSL and is not vulnerable.
April 11, 2014