logoalt Hacker News

MongoBleed Explained Simply

194 pointsby todsacerdotiyesterday at 9:03 PM74 commentsview on HN

Comments

kentonvyesterday at 11:14 PM

A few years back I patched the memory allocator used by the Cloudflare Workers runtime to overwrite all memory with a static byte pattern on free, so that uninitialized allocations contain nothing interesting.

We expected this to hurt performance, but we were unable to measure any impact in practice.

Everyone still working in memory-unsafe languages should really just do this IMO. It would have mitigated this Mongo bug.

show 5 replies
plorkyeranyesterday at 11:26 PM

The author seems to be unaware that Mongo internally develops in a private repo and commits are published later to the public one with https://github.com/google/copybara. All of the confusion around dates is due to this.

computerfan494yesterday at 11:28 PM

The author of this post is incorrect about the timeline. Our Atlas clusters were upgraded days before the CVE was announced.

maxrmkyesterday at 9:48 PM

How often are mongo instances exposed to the internet? I'm more of an SQL person and for those I know it's pretty uncommon, but does happen.

show 8 replies
netsharctoday at 2:39 AM

> On Dec 24th, MongoDB reported they have no evidence of anybody exploiting the CVE

Absence of evidence is not evidence of absence...

show 1 reply
exabrialtoday at 1:41 AM

Why is anyone using mongo for literally anything

show 4 replies
whynotmaybeyesterday at 10:39 PM

I'm still thinking about the hypothetical optimism brought by OWASP top 10 hoping that major flaws will be solved and that buffer overflow has been there since the beginning... in 2003.

show 1 reply
bschmidt107979today at 3:17 AM

Every time someone posts about NoSQL a thousand "programmers" reveal they have never had to support a lot of traffic lol

vivzkestreltoday at 3:46 AM

is it true that ubisoft got hacked and 900GB of data from their database was leaked due to mongobleed, i am seeing a lot of posts on social media under the #ubisoft tags today. can someone on HN confirm?

show 2 replies
dwheelertoday at 4:19 AM

This has many similarities to the Heartbleed vulnerability: it involves trusting lengths from an attacker, leading to unauthorized revelation of data.

reassess_blindtoday at 2:14 AM

Have all Atlas clusters been auto-updated with a fix?

petesergeanttoday at 3:05 AM

> In C/C++, this doesn’t happen. When you allocate memory via `malloc()`, you get whatever was previously there.

What would break if the compiler zero'd it first? Do programs rely on malloc() giving them the data that was there before?

show 2 replies
fwiptoday at 3:07 AM

"MongoBleed Explained by an LLM"