HN

Need help?
<- Back
MongoBleed Explained Simply

MongoBleed Explained Simply

todsacerdoti

Comments (65)

  • kentonv
    A few years back I patched the memory allocator used by the Cloudflare Workers runtime to overwrite all memory with a static byte pattern on free, so that uninitialized allocations contain nothing interesting.We expected this to hurt performance, but we were unable to measure any impact in practice.Everyone still working in memory-unsafe languages should really just do this IMO. It would have mitigated this Mongo bug.
  • plorkyeran
    The author seems to be unaware that Mongo internally develops in a private repo and commits are published later to the public one with https://github.com/google/copybara. All of the confusion around dates is due to this.
  • computerfan494
    The author of this post is incorrect about the timeline. Our Atlas clusters were upgraded days before the CVE was announced.
  • maxrmk
    How often are mongo instances exposed to the internet? I'm more of an SQL person and for those I know it's pretty uncommon, but does happen.
  • whynotmaybe
    I'm still thinking about the hypothetical optimism brought by OWASP top 10 hoping that major flaws will be solved and that buffer overflow has been there since the beginning... in 2003.
  • bschmidt107979
    Every time someone posts about NoSQL a thousand "programmers" reveal they have never had to support a lot of traffic lol
  • exabrial
    Why is anyone using mongo for literally anything
  • netsharc
    > On Dec 24th, MongoDB reported they have no evidence of anybody exploiting the CVEAbsence of evidence is not evidence of absence...
  • vivzkestrel
    is it true that ubisoft got hacked and 900GB of data from their database was leaked due to mongobleed, i am seeing a lot of posts on social media under the #ubisoft tags today. can someone on HN confirm?
  • dwheeler
    This has many similarities to the Heartbleed vulnerability: it involves trusting lengths from an attacker, leading to unauthorized revelation of data.
  • anon
    undefined
  • reassess_blind
    Have all Atlas clusters been auto-updated with a fix?
  • ChrisArchitect
  • petesergeant
    > In C/C++, this doesn’t happen. When you allocate memory via `malloc()`, you get whatever was previously there.What would break if the compiler zero'd it first? Do programs rely on malloc() giving them the data that was there before?
  • fwip
    "MongoBleed Explained by an LLM"