CVE-2024-1351 Overview
CVE-2024-1351 is a critical certificate validation bypass vulnerability affecting MongoDB Server. Under certain configurations of --tlsCAFile and tls.CAFile, MongoDB Server may skip peer certificate validation, which may result in untrusted connections succeeding. This effectively reduces the security guarantees provided by TLS and allows connections that should have been closed due to failing certificate validation.
Critical Impact
This vulnerability allows attackers to bypass TLS certificate validation, potentially enabling man-in-the-middle attacks and unauthorized access to MongoDB databases containing sensitive data.
Affected Products
- MongoDB Server v7.0 versions prior to and including 7.0.5
- MongoDB Server v6.0 versions prior to and including 6.0.13
- MongoDB Server v5.0 versions prior to and including 5.0.24
- MongoDB Server v4.4 versions prior to and including 4.4.28
- NetApp Astra Control Center
- NetApp ONTAP Tools 10 for VMware vSphere
Discovery Timeline
- March 7, 2024 - CVE-2024-1351 published to NVD
- March 11, 2025 - Last updated in NVD database
Technical Details for CVE-2024-1351
Vulnerability Analysis
This vulnerability (CWE-295: Improper Certificate Validation) occurs when MongoDB Server is started with TLS enabled but without a properly configured CA file. When net.tls.mode is set to allowTLS, preferTLS, or requireTLS without a corresponding net.tls.CAFile configured, the server process will allow incoming connections to skip peer certificate validation entirely.
The flaw fundamentally undermines the trust chain that TLS is designed to establish. Certificate validation is a critical security control that ensures clients are connecting to legitimate servers and vice versa. When this validation is bypassed, the encrypted channel becomes vulnerable to interception by attackers who can present fraudulent certificates.
Root Cause
The root cause lies in MongoDB's TLS configuration handling logic. When the server is configured to use TLS but lacks a proper CA file specification through net.tls.CAFile or --tlsCAFile, the certificate validation step is incorrectly skipped rather than failing safely. This represents a failure in secure default configuration principles—the system should reject connections when unable to properly validate certificates rather than allowing them through unchecked.
Attack Vector
The vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker positioned on the network path between a client and the vulnerable MongoDB server can:
- Intercept the TLS handshake between legitimate parties
- Present a self-signed or invalid certificate to the MongoDB server
- Successfully establish a connection despite the invalid certificate
- Perform man-in-the-middle attacks to intercept or modify database traffic
The attack requires the specific misconfiguration where TLS is enabled (allowTLS, preferTLS, or requireTLS) but the CA file is not properly configured. This configuration scenario is more common than expected, particularly in development environments that may inadvertently be promoted to production.
Detection Methods for CVE-2024-1351
Indicators of Compromise
- Connections established from unexpected IP addresses or clients presenting unusual certificates
- MongoDB server logs showing successful TLS connections without corresponding certificate validation entries
- Network traffic analysis revealing TLS sessions with self-signed or untrusted certificates being accepted
Detection Strategies
- Review MongoDB server configuration files for TLS settings where net.tls.mode is enabled without a corresponding net.tls.CAFile setting
- Audit MongoDB server logs for connection patterns that indicate certificate validation may not be occurring
- Implement network monitoring to detect TLS connections with unusual or self-signed certificates
- Use configuration management tools to scan for vulnerable MongoDB configurations across your infrastructure
Monitoring Recommendations
- Enable verbose TLS logging in MongoDB to capture certificate validation events
- Monitor for changes to MongoDB TLS configuration files using file integrity monitoring
- Implement alerts for MongoDB connections from untrusted network segments
- Deploy network security monitoring to detect potential man-in-the-middle attack patterns
How to Mitigate CVE-2024-1351
Immediate Actions Required
- Verify all MongoDB Server instances have net.tls.CAFile properly configured when TLS is enabled
- Upgrade affected MongoDB Server instances to patched versions immediately
- Audit all MongoDB configurations to ensure certificate validation is enforced
- Review network architecture to limit exposure of MongoDB servers to untrusted networks
Patch Information
MongoDB has released patches addressing this vulnerability in the following versions:
- MongoDB Server 7.0.6 - See MongoDB Release Notes 7.0.6
- MongoDB Server 6.0.14 - See MongoDB Release Notes 6.0.14
- MongoDB Server 5.0.25 - See MongoDB Release Notes 5.0.25
- MongoDB Server 4.4.29 - See MongoDB Release Notes 4.4.29
For additional details, refer to MongoDB Issue SERVER-72839. NetApp customers should also review NetApp Security Advisory NTAP-20240524-0010.
Workarounds
- Ensure net.tls.CAFile is always configured when enabling TLS mode in MongoDB
- Implement network segmentation to restrict access to MongoDB servers from trusted networks only
- Use mutual TLS (mTLS) authentication to enforce certificate validation on both client and server sides
- Consider deploying a TLS-terminating proxy in front of MongoDB that enforces strict certificate validation
# MongoDB configuration example with proper TLS settings
# mongod.conf
net:
tls:
mode: requireTLS
certificateKeyFile: /etc/ssl/mongodb/server.pem
CAFile: /etc/ssl/mongodb/ca.pem
allowConnectionsWithoutCertificates: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
