Benjamin KAHANE
- Updated
A critical security vulnerability has recently been reported against MongoDB, a database used by Dalet Flex. For details, please refer to those sources of information:
Exploitation of the vulnerability is reliant on network access to the MongoDB cluster.
Dalet does not expose MongoDB outside Flex clusters, so the attack surface is already significantly restricted, however an attacker who has network access within the Flex cluster poses a threat.
Dalet has taken measures in current, future, and legacy versions back to 2022.5.0 to forestall any chance of an attack, by amending existing Dalet Flex release manifests.
There are three types of Dalet Flex operating models, thus required actions depend on the model of operation as listed in the chapters below.
Dalet SRE (Site Reliability Engineering, formerly CS OPS) will perform the update and update the customer.
There is no downtime required and there will be no impact on the platform.
The customer will open a ZenDesk ticket and Dalet SRE will coordinate an update of the environment.
There is no downtime required and there will be no impact on the platform.
In this case, the customer is responsible to redeploy the update provided by Dalet.
Dalet will provide this service to make sure it is smooth.
The customer will open a ticket and support will coordinate the update.
| Flex Version | Former MongoDB version | Remedy |
| 2025.12.0 and up | From 2025.12.0 onwards, Dalet Flex will be delivered with a version of MongoDB that includes the upstream bug fix. | not needed. |
| 2025.10.0 | MongoDB 5.0.31 (before CVE) | MongoDB 5.0.32, which includes the upstream bug fix. |
| 2025.6.x | MongoDB 4.2.24 |
disable zlib compression in the net.compression.compressors configuration entry (mitigating the CVE).
|
| 2024.11.x | ||
| 2024.5.x | ||
| 2023.12.x | ||
| 2023.6.x | MongoDB 4.2.23 |
Upgrade to MongoDB 4.2.24 and disable zlib compression in the net.compression.compressors configuration entry (mitigating the CVE).
|
| 2022.12.x | ||
| 2022.5.x | MongoDB 4.2.22 |
Versions using MongoDB 4.2.24 as listed above: automated security scanning tools may report this CVE as present; however after a relevant environment has been updated with the latest release manifest, it should be considered as a false-positive due to the configuration change to disable zlib compression.
Flex 2025.12.0 and up - From 2025.12.0 onwards, Dalet Flex will be delivered with a version of MongoDB that includes the upstream bug fix.
Flex 2025.10.0 - Former MongoDB version: 5.0.31 (before CVE) - upgrade to MongoDB 5.0.32, which includes the upstream bug fix.
Flex 2025.6.x, 2024.11.x, 2024.5.x, 2023.12.x - Former MongoDB version: 4.2.24 - disable zlib compression in the net.compression.compressors configuration entry (mitigating the CVE).
Flex 2023.6.x, 2022.12.x - Former MongoDB version: 4.2.23 - Upgrade to MongoDB 4.2.24 and disable zlib compression in the net.compression.compressors configuration entry (mitigating the CVE).
Flex 2022.5.x - Former MongoDB version: 4.2.22 - Upgrade to MongoDB 4.2.24 and disable zlib compression in the net.compression.compressors configuration entry (mitigating the CVE).
Comments
0 comments
Please sign in to leave a comment.