Hi,
Any chance to get a security update on dotnet driver before v2.19 for CVE-2022-48282?
Hi, @Carretero_Ruben,
Welcome to the MongoDB Community Forums.
I understand that you have a question about backporting CSHARP-4475, which addresses CVE-2022-48282, to earlier versions of the MongoDB .NET/C# Driver.
Note that the vulnerability documented in the CVE has very specific requirements, notably a property or field typed as System.Object or a collection of System.Object as opposed to a specific type. An attacker would also require direct write access to the underlying collection to modify document data in an arbitrary fashion. Typical write access through an application is insufficient to exploit this vulnerability. Lastly the vulnerability is only present on .NET Framework on Windows. If you are running .NET Core or .NET 5+, you are not vulnerable to this particular exploit. Thus many users of the MongoDB .NET/C# Driver are not affected by this vulnerability.
The challenge with a potential backport is that the fix is a breaking change. It requires affected users to opt into ObjectSerializer.AllowedTypes. Upgrading to a patch build of 2.18.X (or any other earlier version) should not require code changes, but backporting CSHARP-4475 would necessitate such code changes.
Since the CSHARP-4475 fix requires code changes to configure ObjectSerializer.AllowedTypes, upgrading to 2.19.x seemed like a reasonable ask. One potential hurdle is that 2.19.0 makes our new LINQ3 provider the default. If this causes problems, it is straightforward to switch back to the older LINQ2 provider as follows:
var connectionString = "<<YOUR_MONGODB_URI>>";
var clientSettings = MongoClientSettings.FromConnectionString(connectionString);
clientSettings.LinqProvider = LinqProvider.V2;
var client = new MongoClient(clientSettings);
Please let us know if there is a blocker to upgrading your codebase to 2.19.x to take advantage of the CSHARP-4475 fix. In particular, which earlier versions of the driver would you like to see CSHARP-4475 backported to? Ideally we can remove any blockers and facilitate an upgrade to 2.19.x. If not, we may consider a limited backport to earlier versions.
Sincerely,
James
Thanks James,
We try and update to 2.19.0 and check if the linq provider works fine.
Please let us know if you run into any difficulties. If you do, a stack trace and self-contained repro would be most helpful and appreciated. Happy to discuss here in the forums, but you can also file bugs in our issue tracker directly.
NOTE: We have already fixed a number of reported issues in 2.19.0 and plan to release 2.19.1 in the coming weeks to address these.