CVE-2021-20335

Name of the Vulnerable Software and Affected Versions: MongoDB Ops Manager versions prior to and including 4.2.24 MongoDB Ops Manager versions prior to and including 4.4.12

Description: The issue occurs when upgrading MongoDB Ops Manager from versions prior to and including 4.2.24 to versions prior to and including 4.4.12, with multiple OM application servers and SSL turned on for their MongoDB processes. This triggers a bug where Automation thinks SSL is being turned off, and can disable SSL temporarily for members of the cluster. The issue is temporary and corrects itself after MongoDB Ops Manager instances finish upgrading to MongoDB Ops Manager 4.4. Customers must be running with clientCertificateMode=OPTIONAL or allowConnectionsWithoutCertificates=true to be impacted.

Recommendations: For MongoDB Ops Manager versions prior to and including 4.2.24, upgrade to MongoDB Ops Manager 4.4.13 or later to resolve the issue. For MongoDB Ops Manager versions prior to and including 4.4.12, upgrade to MongoDB Ops Manager 4.4.13 or later to resolve the issue. As a temporary workaround, consider monitoring the SSL status of the cluster members during the upgrade process to minimize the risk of exploitation.